First published: Tue Jan 31 2023(Updated: )
In affected versions of Octopus Server the help sidebar can be customized to include a Cross-Site Scripting payload in the support link. This was initially resolved in advisory 2022-07 however it was identified that the fix could be bypassed in certain circumstances. A different approach was taken to prevent the possibility of the support link being susceptible to XSS
Credit: security@octopus.com
Affected Software | Affected Version | How to fix |
---|---|---|
Octopus Octopus Server | >=2019.7.0<2022.2.8552 | |
Octopus Octopus Server | >=2022.3.348<2022.3.10750 | |
Octopus Octopus Server | >=2022.4.791<2022.4.8319 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2022-4898 vulnerability allows customization of the help sidebar in Octopus Server to include a Cross-Site Scripting payload in the support link, affecting certain versions of the software.
To mitigate CVE-2022-4898, it is recommended to update Octopus Server to a non-vulnerable version as provided in the advisory.
The severity of CVE-2022-4898 is rated as medium with a CVSS score of 5.4.