Headline
GHSA-7xvh-c266-cfr5: @dependencytrack/frontend vulnerable to Persistent Cross-Site-Scripting via welcome message
Description
Since version 4.12.0, Dependency-Track users with the SYSTEM_CONFIGURATION permission can configure a "welcome message", which is HTML that is to be rendered on the login page for branding purposes.
When rendering the welcome message, Dependency-Track versions before 4.13.6 did not properly sanitize the HTML, allowing arbitrary JavaScript to be executed.
Impact
Users with the SYSTEM_CONFIGURATION permission (i.e., administrators), can exploit this weakness to execute arbitrary JavaScript for users browsing to the login page.
Patches
The issue has been fixed in version 4.13.6.
References
- The issue was introduced via: https://github.com/DependencyTrack/frontend/pull/986
- The issue was fixed via: https://github.com/DependencyTrack/frontend/pull/1378
Credit
Thanks to Jonas Benjamin Friedli for identifying and responsibly disclosing the issue.
Attack vector: More severe the more the remote (logically and physically) an attacker can be in order to exploit the vulnerability.
Attack complexity: More severe for the least complex attacks.
Privileges required: More severe if no privileges are required.
User interaction: More severe when no user interaction is required.
Scope: More severe when a scope change occurs, e.g. one vulnerable component impacts resources in components beyond its security scope.
Confidentiality: More severe when loss of data confidentiality is highest, measuring the level of data access available to an unauthorized user.
Integrity: More severe when loss of data integrity is the highest, measuring the consequence of data modification possible by an unauthorized user.
Availability: More severe when the loss of impacted component availability is highest.