Skip to content

Cross-Site Scripting (XSS): Persistent

Low
stevespringett published GHSA-4gqv-hcmg-jw33 Dec 16, 2019 · 1 comment

Package

No package listed

Affected versions

>=3.0.0 <= 3.6.1

Patched versions

3.7.0

Description

Description

As an administrator, malicious payloads could be crafted when creating new users. If usernames contained the appropriate escape sequence and malicious script, the payload may be executed against another administrator.

Impact

This attack requires administrator permissions in order to persist the XSS payload and administrator permissions to be exploited by the payload.

CVSS v3.1 Vector: AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N

CVSS v3.1 Score: 2.4

Patches

This issue has been corrected in Dependency-Track v3.7.0 and higher.

Credit

Thanks to steven.king@dbappsecurity.com.cn for finding and responsibly disclosing these issues.

Severity

Low

CVE ID

No known CVE

Weaknesses

No CWEs