Dependency-Track Welcome Message Cross-Site Scripting Vulnerability

A cross-site scripting vulnerability has been identified in the Dependency-Track frontend component, specifically in versions 4.12.0 prior to 4.13.6. This issue allows users with the SYSTEM_CONFIGURATION permission (administrators) to execute arbitrary JavaScript on the login page. The vulnerability arises from the improper sanitization of HTML in a customizable welcome message feature, which was introduced in version 4.12.0. Exploitation of this vulnerability could lead to the execution of malicious scripts in the context of the user's session.

Impact

Exploitation of this vulnerability allows for persistent cross-site scripting, where injected JavaScript is executed for users visiting the login page.

Reproduction

To reproduce this vulnerability, an administrator must log into Dependency-Track and navigate to the configuration settings. There, they can set a custom welcome message that includes unsanitized HTML or JavaScript. Once the message is saved, it will be displayed on the login page, where the injected script will be executed.

Remediation

Users can update to Dependency-Track version 4.13.6 or later, where this vulnerability has been fixed.