// For flags

CVE-2022-39350

@dependencytrack/frontend vulnerable to Persistent Cross-Site-Scripting via Vulnerability Details

Severity Score

5.4
*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

0
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

-
*SSVC
Descriptions

@dependencytrack/frontend is a Single Page Application (SPA) used in Dependency-Track, an open source Component Analysis platform that allows organizations to identify and reduce risk in the software supply chain. Due to the common practice of providing vulnerability details in markdown format, the Dependency-Track frontend renders them using the JavaScript library Showdown. Showdown does not have any XSS countermeasures built in, and versions before 4.6.1 of the Dependency-Track frontend did not encode or sanitize Showdown's output. This made it possible for arbitrary JavaScript included in vulnerability details via HTML attributes to be executed in context of the frontend. Actors with the `VULNERABILITY_MANAGEMENT` permission can exploit this weakness by creating or editing a custom vulnerability and providing XSS payloads in any of the following fields: Description, Details, Recommendation, or References. The payload will be executed for users with the `VIEW_PORTFOLIO` permission when browsing to the modified vulnerability's page. Alternatively, malicious JavaScript could be introduced via any of the vulnerability databases mirrored by Dependency-Track. However, this attack vector is highly unlikely, and the maintainers of Dependency-Track are not aware of any occurrence of this happening. Note that the `Vulnerability Details` element of the `Audit Vulnerabilities` tab in the project view is not affected. The issue has been fixed in frontend version 4.6.1.

dependencytrack/frontend es una aplicación de página única (SPA) usada en Dependency-Track, una plataforma de análisis de componentes de código abierto que permite a las organizaciones identificar y reducir el riesgo en la cadena de suministro de software. Debido a la práctica común de proporcionar detalles de vulnerabilidad en formato markdown, el frontend de Dependency-Track los renderiza usando la biblioteca JavaScript Showdown. Showdown no presenta ninguna contramedida de tipo XSS incorporada, y Las versiones anteriores a 4.6.1 del frontend Dependency-Track no codificaban ni saneaban la salida de Showdown. Esto hacía posible que el JavaScript arbitrario incluido en los detalles de la vulnerabilidad por medio de atributos HTML es ejecutadora en el contexto del frontend. Los actores con el permiso "VULNERABILITY_MANAGEMENT" pueden explotar esta debilidad al crear o editar una vulnerabilidad personalizada y proporcionando cargas útiles de tipo XSS en cualquiera de los siguientes campos: Description, Details, Recommendation, o References. La carga útil es ejecutada para usuarios con el permiso "VIEW_PORTFOLIO" cuando naveguen a la página de la vulnerabilidad modificada. Alternativamente, el JavaScript malicioso podría ser introducido por medio de cualquiera de las bases de datos de vulnerabilidades reflejadas por Dependency-Track. Sin embargo, este vector de ataque es altamente improbable, y los mantenedores de Dependency-Track no presentan conocimiento de que esto ocurra. Tenga en cuenta que el elemento "Detalles de la vulnerabilidad" de la pestaña "Auditoría de vulnerabilidades" en la vista del proyecto no está afectado. El problema ha sido corregido en versión 4.6.1 del frontend

*Credits: N/A
CVSS Scores
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None
* Common Vulnerability Scoring System
SSVC
  • Decision:-
Exploitation
-
Automatable
-
Tech. Impact
-
* Organization's Worst-case Scenario
Timeline
  • 2022-09-02 CVE Reserved
  • 2022-10-25 CVE Published
  • 2024-08-03 CVE Updated
  • 2024-09-10 EPSS Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
  • ---------- First Exploit
CWE
  • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CAPEC
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Owasp
Search vendor "Owasp"
Dependency-track Frontend
Search vendor "Owasp" for product "Dependency-track Frontend"
< 4.6.1
Search vendor "Owasp" for product "Dependency-track Frontend" and version " < 4.6.1"
-
Affected