SB2019121637 - Multiple vulnerabilities in dependency-track

Description

This security bulletin contains information about 2 vulnerabilities.

1) Cross-site scripting (CVE-ID: N/A)

The vulnerability allows a remote user to execute arbitrary script in another user's browser.

The vulnerability exists due to persistent cross-site scripting in project properties when handling property values containing malicious script. A remote user can create a project property with a malicious script payload to execute arbitrary script in another user's browser.

User interaction is required, as another portfolio manager must click the malicious property value.

2) Cross-site scripting (CVE-ID: N/A)

The vulnerability allows a remote user to execute arbitrary script in another administrator's browser.

The vulnerability exists due to persistent cross-site scripting in the user creation functionality when processing crafted usernames. A remote privileged user can create a user with a specially crafted username to execute arbitrary script in another administrator's browser.

User interaction is required because another administrator must view the malicious payload.

Remediation

Install update from vendor's website.

References

• https://github.com/DependencyTrack/dependency-track/security/advisories/GHSA-6j82-qv49-r46p
• https://github.com/DependencyTrack/dependency-track/security/advisories/GHSA-4gqv-hcmg-jw33