CVE-2022-39350

Name of the Vulnerable Software and Affected Versions @dependencytrack/frontend versions prior to 4.6.1

Description The Dependency-Track frontend is a Single Page Application (SPA) that renders vulnerability details using the JavaScript library Showdown. Since Showdown does not have any XSS countermeasures built in, and versions before 4.6.1 of the Dependency-Track frontend did not encode or sanitize Showdown's output, it is possible for arbitrary JavaScript included in vulnerability details via HTML attributes to be executed in the context of the frontend. Actors with the VULNERABILITY MANAGEMENT permission can exploit this weakness by creating or editing a custom vulnerability and providing XSS payloads in the Description, Details, Recommendation, or References fields. The payload will be executed for users with the VIEW PORTFOLIO permission when browsing to the modified vulnerability's page.

Recommendations For versions prior to 4.6.1, update to frontend version 4.6.1 to fix the issue. As a temporary workaround, consider restricting the VULNERABILITY MANAGEMENT permission to prevent exploitation. Additionally, avoid using the Description, Details, Recommendation, or References fields in custom vulnerabilities until the issue is resolved.