@dependencytrack/frontend vulnerable to Persistent Cross-Site-Scripting via Vulnerability Details
Description
@dependencytrack/frontend is a Single Page Application (SPA) used in Dependency-Track, an open source Component Analysis platform that allows organizations to identify and reduce risk in the software supply chain. Due to the common practice of providing vulnerability details in markdown format, the Dependency-Track frontend renders them using the JavaScript library Showdown. Showdown does not have any XSS countermeasures built in, and versions before 4.6.1 of the Dependency-Track frontend did not encode or sanitize Showdown's output. This made it possible for arbitrary JavaScript included in vulnerability details via HTML attributes to be executed in context of the frontend. Actors with the VULNERABILITY_MANAGEMENT permission can exploit this weakness by creating or editing a custom vulnerability and providing XSS payloads in any of the following fields: Description, Details, Recommendation, or References. The payload will be executed for users with the VIEW_PORTFOLIO permission when browsing to the modified vulnerability's page. Alternatively, malicious JavaScript could be introduced via any of the vulnerability databases mirrored by Dependency-Track. However, this attack vector is highly unlikely, and the maintainers of Dependency-Track are not aware of any occurrence of this happening. Note that the Vulnerability Details element of the Audit Vulnerabilities tab in the project view is not affected. The issue has been fixed in frontend version 4.6.1.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
@dependencytrack/frontendnpm | < 4.6.1 | 4.6.1 |
Affected products
2- DependencyTrack/frontendv5Range: < 4.6.1
Patches
Vulnerability mechanics
Root cause
"The frontend did not sanitize or encode output from the Showdown JavaScript library, allowing for Cross-Site Scripting."
Attack vector
An attacker with the `VULNERABILITY_MANAGEMENT` permission can inject arbitrary JavaScript into vulnerability details. This is achieved by creating or editing a custom vulnerability and including XSS payloads in fields such as Description, Details, Recommendation, or References. When a user with `VIEW_PORTFOLIO` permission views the modified vulnerability, the payload is executed within their browser context. The advisory notes that while XSS could theoretically be introduced via mirrored vulnerability databases, this vector is considered highly unlikely [ref_id=1].
Affected code
The vulnerability exists in the Dependency-Track frontend's handling of vulnerability details, which are rendered using the Showdown JavaScript library. Versions prior to 4.6.1 did not properly sanitize or encode the output from Showdown, leading to potential XSS execution. The specific code responsible for rendering markdown and processing user input in these fields is affected.
What the fix does
The issue was resolved by updating the frontend to version 4.6.1. This update likely includes sanitization or encoding mechanisms for the output generated by the Showdown JavaScript library, preventing the execution of arbitrary JavaScript payloads. The advisory does not provide specific details on the exact implementation of the fix, but the version update addresses the vulnerability by ensuring that user-supplied content within vulnerability details is handled safely [ref_id=1].
Preconditions
- authThe attacker must possess the `VULNERABILITY_MANAGEMENT` permission.
- authThe victim user must possess the `VIEW_PORTFOLIO` permission.
- inputThe attacker must be able to create or edit custom vulnerability details.
Generated on Jun 10, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5News mentions
0No linked articles in our index yet.