Skip to content

Cross-Site Scripting (XSS): Persistent

moderate
stevespringett published GHSA-jp9v-w6vw-9m5v Jul 17, 2019 · 1 comment

Package

No package listed

Affected versions

>=3.0.0 <= 3.5.0

Patched versions

3.5.1

Description

Impact

All versions of Dependency-Track from version 3.0.0 to 3.5.0. Malicious payloads would need to be crafted and stored by users with the PORTFOLIO_MANAGEMENT permission. Users without this permission would be unable to store malicious payloads but could be affected by data already persisted.

Patches

These issues have been corrected in Dependency-Track v3.5.1 and higher.

Credit

Thanks to 1jesper1 for finding and responsibly disclosing these issues.

Reported on Remediated on Turnaround
12 July, 2019 17 July, 2019 5 days

GHSA ID

GHSA-jp9v-w6vw-9m5v

Credits