Description
As a portfolio manager, malicious payloads could be crafted when creating project properties. If the value of a project property contains a malicious script and another portfolio manager clicked on the value, the script would be executed.
Impact
This attack requires portfolio manager permissions in order to persist the XSS payload and portfolio manager permissions to be exploited by the payload.
CVSS v3.1 Vector: AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N
CVSS v3.1 Score: 3.5
Patches
This issue has been corrected in Dependency-Track v3.7.0 and higher.
Credit
Thanks to Nicolas Haberkorn for finding and responsibly disclosing these issues.
Description
As a portfolio manager, malicious payloads could be crafted when creating project properties. If the value of a project property contains a malicious script and another portfolio manager clicked on the value, the script would be executed.
Impact
This attack requires portfolio manager permissions in order to persist the XSS payload and portfolio manager permissions to be exploited by the payload.
CVSS v3.1 Vector: AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N
CVSS v3.1 Score: 3.5
Patches
This issue has been corrected in Dependency-Track v3.7.0 and higher.
Credit
Thanks to Nicolas Haberkorn for finding and responsibly disclosing these issues.