CVE-2022-39350: 
JavaScript vulnerability analysis and mitigation

CVE-2022-39350 is a Cross-Site-Scripting (XSS) vulnerability discovered in the Dependency-Track frontend package (@dependencytrack/frontend). The vulnerability was published on October 24, 2022, affecting versions below 4.6.1. The issue stems from the frontend's use of the Showdown JavaScript library for rendering vulnerability details in markdown format without proper XSS countermeasures (GitHub Advisory).

The vulnerability is classified as CWE-79 (Cross-Site Scripting) with a CVSS score of 5.4 (Medium). The vulnerability exists due to insufficient sanitization of markdown content rendered using the Showdown library. The CVSS vector string is CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N, indicating network attack vector, low attack complexity, low privileges required, and user interaction required (GitHub Advisory).

The vulnerability allows actors with VULNERABILITYMANAGEMENT permission to execute arbitrary JavaScript by injecting XSS payloads through vulnerability details fields including Description, Details, Recommendation, and References. The payload executes when users with VIEWPORTFOLIO permission access the modified vulnerability's page (GitHub Advisory).

The vulnerability has been patched in frontend version 4.6.1. Users should upgrade to this version or later to mitigate the risk. The Vulnerability Details element in the Audit Vulnerabilities tab of the project view is not affected by this vulnerability (GitHub Advisory).