CVE-2025-64758
@dependencytrack/frontend vulnerable to Persistent Cross-Site-Scripting via welcome message
Description
### Description Since version 4.12.0, Dependency-Track users with the `SYSTEM_CONFIGURATION` permission can configure a "welcome message", which is HTML that is to be rendered on the login page for branding purposes. When rendering the welcome message, Dependency-Track versions before 4.13.6 did not properly sanitize the HTML, allowing arbitrary JavaScript to be executed. ### Impact Users with the `SYSTEM_CONFIGURATION` permission (i.e., administrators), can exploit this weakness to execute arbitrary JavaScript for users browsing to the login page. ### Patches The issue has been fixed in version 4.13.6. ### References * The issue was introduced via: https://github.com/DependencyTrack/frontend/pull/986 * The issue was fixed via: https://github.com/DependencyTrack/frontend/pull/1378 ### Credit Thanks to *Jonas Benjamin Friedli* for identifying and responsibly disclosing the issue.
How to fix CVE-2025-64758
To remediate CVE-2025-64758, upgrade the affected package to a fixed version below.
- —upgrade to 4.13.6 or later
Is CVE-2025-64758 being exploited?
Low — EPSS is 0.0%, meaning exploitation activity has not been observed at scale.
Affected packages (1)
- >= 4.12.0, < 4.13.6
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM4.8 | CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N |