CVE-2022-4898

Published: Jan 31, 2023Modified: Mar 27, 2025

5.4

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Exploitability: 2.3 / Impact: 2.7

Source: NVD

Description

In affected versions of Octopus Server the help sidebar can be customized to include a Cross-Site Scripting payload in the support link. This was initially resolved in advisory 2022-07 however it was identified that the fix could be bypassed in certain circumstances. A different approach was taken to prevent the possibility of the support link being susceptible to XSS

Affected (3)

Products: Octopus: Octopus Server

Octopus

1 product

Octopus Server

Configuration A

3 vulnerable

Vulnerable Software	Affected Versions
Octopus Octopus Server	From 2019.7.0 to 2022.2.8552
Octopus Octopus Server	From 2022.3.348 to 2022.3.10750
Octopus Octopus Server	From 2022.4.791 to 2022.4.8319

Related CWEs

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

References (2)

https://advisories.octopus.com/post/2022/sa2023-01/

Source: security@octopus.com

https://advisories.octopus.com/post/2022/sa2023-01/

Source: af854a3a-2127-422b-91ae-364da2661108

Timeline

No history available yet.