Cross-site scripting in dependency-track - #VU127081
Published: December 16, 2019 / Updated: April 23, 2026
Vulnerability identifier: #VU127081
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear
CVE-ID: N/A
CWE-ID: CWE-79
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: DependencyTrack
Affected software:
dependency-track
dependency-track
Detailed vulnerability description
The vulnerability allows a remote user to execute arbitrary script in another user's browser.
The vulnerability exists due to persistent cross-site scripting in project properties when handling property values containing malicious script. A remote user can create a project property with a malicious script payload to execute arbitrary script in another user's browser.
User interaction is required, as another portfolio manager must click the malicious property value.
Remediation
Install security update from vendor's website.