CVE-2022-29182: 
GoCD Server vulnerability analysis and mitigation

A stack-based buffer overflow vulnerability [CWE-121] in Fortinet FortiOS before 7.0.3 allows a privileged attacker to execute arbitrary code via specially crafted CLI commands, provided the attacker were able to evade FortiOS stack protections (GHSA, Fortinet).

The vulnerability is a DOM-based XSS attack that affects GoCD versions 19.11.0 through 21.4.0. The vulnerability exists in a pipeline run's Stage Details > Graphs tab, where a messaging channel used for communication between the parent page and the stage details graph's iframe can be abused. This could allow malicious scripts from an attacker-hosted site to execute within the user's browser context and GoCD session (GHSA).

The vulnerability could allow an attacker to steal a GoCD user's session cookies and/or execute malicious code in the user's context. This could potentially lead to unauthorized access and control of the GoCD system with the privileges of the compromised user (GHSA).

The vulnerability has been fixed in GoCD version 22.1.0. There are no known workarounds, so upgrading to version 22.1.0 or later is strongly recommended (GHSA).