Main Vulnerability Database Vulnerabilities #VU127082

Cross-site scripting in dependency-track - #VU127082

Published: December 16, 2019 / Updated: April 23, 2026

Vulnerability identifier: #VU127082

CSH Severity: Low

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear

CVE-ID: N/A

CWE-ID: CWE-79

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: DependencyTrack

Affected software:
dependency-track

Detailed vulnerability description

The vulnerability allows a remote user to execute arbitrary script in another administrator's browser.

The vulnerability exists due to persistent cross-site scripting in the user creation functionality when processing crafted usernames. A remote privileged user can create a user with a specially crafted username to execute arbitrary script in another administrator's browser.

User interaction is required because another administrator must view the malicious payload.

Remediation

Install security update from vendor's website.

Sources

https://github.com/DependencyTrack/dependency-track/security/advisories/GHSA-4gqv-hcmg-jw33

Cross-site scripting in dependency-track - #VU127082

Detailed vulnerability description

Remediation

Sources

Please verify you're human