Lucene search

[email protected]NVD:CVE-2022-4898

HistoryJan 31, 2023 - 4:15 a.m.

CVE-2022-4898

2023-01-3104:15:07

CWE-79

[email protected]

web.nvd.nist.gov

octopus server

help sidebar

cross-site scripting

support link

advisory

5.4 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

0.001 Low

EPSS

Percentile

21.2%

JSON

In affected versions of Octopus Server the help sidebar can be customized to include a Cross-Site Scripting payload in the support link. This was initially resolved in advisory 2022-07 however it was identified that the fix could be bypassed in certain circumstances. A different approach was taken to prevent the possibility of the support link being susceptible to XSS

Affected configurations

NVD

Node

octopusoctopus_serverRange2019.7.0–2022.2.8552

octopusoctopus_serverRange2022.3.348–2022.3.10750

octopusoctopus_serverRange2022.4.791–2022.4.8319

References

advisories.octopus.com/post/2022/sa2023-01/