Homepage

@dependencytrack/frontend@1.0.0-alpha.9 vulnerabilities

Single Page Application for OWASP Dependency-Track

  • latest version

    1.0.0-alpha.9

  • first published

    5 years ago

  • latest version published

    5 years ago

  • licenses detected

  • View frontend package health on Snyk Advisor  (opens in a new tab)
    • Go back to all versions of this package
    Report a new vulnerability Found a mistake?

    Direct Vulnerabilities

    Known vulnerabilities in the @dependencytrack/frontend package. This does not include vulnerabilities belonging to this package’s dependencies.

    How to fix?

    Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.

    Fix for free
    VulnerabilityVulnerable Version
    • M
    Cross-site Scripting (XSS)

    @dependencytrack/frontend is a Single Page Application for OWASP Dependency-Track

    Affected versions of this package are vulnerable to Cross-site Scripting (XSS) via the Vulnerability Details module, due to the frontend not encoding or sanitizing the Showdown library's output.

    Actors with the VULNERABILITY_MANAGEMENT permission can exploit this weakness by creating or editing a custom vulnerability and providing XSS payloads in any of the following fields:

    • Description
    • Details
    • Recommendation
    • References

    The payload will be executed for users with the VIEW_PORTFOLIO permission when browsing to the modified vulnerability's page.

    Note

    The Vulnerability Details element of the Audit Vulnerabilities tab in the project view is not affected.

    How to fix Cross-site Scripting (XSS)?

    A fix was pushed into the master branch but not yet published.

    *
    Go back to all versions of this package