Description
As an administrator, malicious payloads could be crafted when creating new users. If usernames contained the appropriate escape sequence and malicious script, the payload may be executed against another administrator.
Impact
This attack requires administrator permissions in order to persist the XSS payload and administrator permissions to be exploited by the payload.
CVSS v3.1 Vector: AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N
CVSS v3.1 Score: 2.4
Patches
This issue has been corrected in Dependency-Track v3.7.0 and higher.
Credit
Thanks to steven.king@dbappsecurity.com.cn for finding and responsibly disclosing these issues.
Description
As an administrator, malicious payloads could be crafted when creating new users. If usernames contained the appropriate escape sequence and malicious script, the payload may be executed against another administrator.
Impact
This attack requires administrator permissions in order to persist the XSS payload and administrator permissions to be exploited by the payload.
CVSS v3.1 Vector: AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N
CVSS v3.1 Score: 2.4
Patches
This issue has been corrected in Dependency-Track v3.7.0 and higher.
Credit
Thanks to steven.king@dbappsecurity.com.cn for finding and responsibly disclosing these issues.