Skip to content

Cross-Site Scripting (XSS): Persistent

stevespringett published GHSA-jp9v-w6vw-9m5v Jul 17, 2019

stevespringett published Jul 17, 2019

moderate severity
Affected versions: >=3.0.0 <= 3.5.0
Patched versions: 3.5.1


All versions of Dependency-Track from version 3.0.0 to 3.5.0. Malicious payloads would need to be crafted and stored by users with the PORTFOLIO_MANAGEMENT permission. Users without this permission would be unable to store malicious payloads but could be affected by data already persisted.


These issues have been corrected in Dependency-Track v3.5.1 and higher.


Thanks to 1jesper1 for finding and responsibly disclosing these issues.

Reported on Remediated on Turnaround
12 July, 2019 17 July, 2019 5 days
You can’t perform that action at this time.