CVE-2022-2507: 
Octopus Deploy vulnerability analysis and mitigation

CVE-2022-2507 affects Octopus Deploy Server and was discovered on September 20, 2022. The vulnerability allows user-supplied input to be rendered into webpages, potentially enabling cross-site scripting (XSS) attacks. The issue was patched on January 17, 2023, and publicly disclosed on April 19, 2023. The vulnerability affects multiple versions of Octopus Server, including all 0.x.x through 4.x.x versions, all 2018.x.x through 2021.x.x versions, and specific versions of 2022.x.x and 2023.1.x before the patched releases (Vendor Advisory).

The vulnerability has been assigned a CVSS v3.1 base score of 5.3 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N. The issue stems from a weak Content Security Policy Header that allows user-supplied input to be rendered directly into webpages, creating potential cross-site scripting vectors. The vulnerability is classified under CWE-79: Improper Neutralization of Input During Web Page Generation (NVD).

The vulnerability could allow attackers to inject malicious scripts into web pages viewed by users of the Octopus Deploy Server. While the severity is rated as low by the vendor, the CVSS score indicates a medium severity with potential for limited impact on integrity (Vendor Advisory).

The vulnerability has been fixed in Octopus Server versions 2022.3.10957, 2022.4.8332, and 2023.1.6715. Organizations are recommended to upgrade to version 2023.1.9794 or higher. There are no known mitigations other than upgrading to a patched version. The vendor strongly recommends immediate upgrade to address this security issue (Vendor Advisory).