CVE-2022-4898

Summary

In affected versions of Octopus Server the help sidebar can be customized to include a Cross-Site Scripting payload in the support link. This was initially resolved in advisory 2022-07 however it was identified that the fix could be bypassed in certain circumstances. A different approach was taken to prevent the possibility of the support link being susceptible to XSS

Affected Software

VendorProductVersion RangeStatus
Octopus DeployOctopus Server2019.7.0 < unspecifiedaffected
Octopus DeployOctopus Serverunspecified < 2022.2.8552affected
Octopus DeployOctopus Server2022.3.348 < unspecifiedaffected
Octopus DeployOctopus Serverunspecified < 2022.3.10750affected
Octopus DeployOctopus Server2022.4.791 < unspecifiedaffected
Octopus DeployOctopus Serverunspecified < 2022.4.8319affected

Weaknesses

  • Stored Cross-Site Scripting (XSS)

ADP Enrichment

CVE Program Container

Additional References

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References