CVE-2022-29890: 
Octopus Deploy vulnerability analysis and mitigation

In affected versions of Octopus Server, a stored Cross-Site Scripting (XSS) vulnerability was discovered (CVE-2022-29890) that allows customization of the help sidebar to include a malicious payload in the support link. The vulnerability was discovered on May 19, 2022, and a patch was released on June 14, 2022. The affected versions include all 2019.7.x through 2019.13.x, all 2020.x.x versions, 2021.x.x versions before 2021.3.13021, 2022.1.x versions before 2022.1.2849, 2022.2.x versions before 2022.2.6729, and 2022.3.x versions before 2022.3.2387 (Vendor Advisory).

The vulnerability has been assigned a CVSS v3.1 base score of 6.1 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N. The issue is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation). The vulnerability specifically affects the help sidebar functionality where user input is not properly sanitized before being rendered in the support link section (NVD).

This vulnerability could allow attackers to execute malicious scripts in the context of other users' browsers who access the affected help sidebar. The CVSS scoring indicates that the vulnerability has low confidentiality and integrity impact, with no impact on availability. The cross-site scripting capability could potentially lead to unauthorized access to user data or manipulation of the application's behavior (Vendor Advisory).

Octopus Deploy has released fixed versions: 2021.3.13021, 2022.1.2849, 2022.2.6729, and 2022.3.2387. The recommended action is to upgrade to the latest version (2022.2.6729). There are no known mitigations for this vulnerability other than upgrading to a patched version (Vendor Advisory).