CVE-2022-4898

In affected versions of Octopus Server the help sidebar can be customized to include a Cross-Site Scripting payload in the support link. This was initially resolved in advisory 2022-07 however it was identified that the fix could be bypassed in certain circumstances. A different approach was taken to prevent the possibility of the support link being susceptible to XSS

Published: Jan 31, 2023
Updated: Apr 14, 2023
CVE: CVE-2022-4898
Severity: Medium
Exploit:

CVSS v3:

Severity: Medium
Score: 5.4
AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

CWEs:

CWE-79

OWASP TOP 10:

A7 - Cross-Site Scripting (XSS)

Affected Software
References

Software	From	Fixed in
octopus / octopus_server	2022.4.791	2022.4.8319
octopus / octopus_server	2022.3.348	2022.3.10750
octopus / octopus_server	2019.7.0	2022.2.8552

https://advisories.octopus.com/post/2022/sa2023-01/

Vulnerability Database

289,697

CVE-2022-4898