Michaelnoonan

**Name of the Vulnerable Software and Affected Versions** Octopus Deploy versions 3.4.0 through 3.13.6 **Description** A cross-site scripting (XSS) issue exists, allowing remote attackers to inject arbitrary web script or HTML via the `Variable Set Name` parameter in the All Variables tab. **Recommendations** For versions 3.4.0 through 3.13.6, update to version 3.13.7 to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Octopus Deploy versions 3.7.0 through 3.17.13 **Description** A cross-site scripting (XSS) issue allows remote authenticated users to inject arbitrary web script or HTML via the `Step Template Name` parameter. This could potentially lead to unauthorized actions on the affected system. **Recommendations** For versions 3.7.0 through 3.17.13, update to version 3.17.14 to resolve the issue. As a temporary workaround, consider restricting access to the Step Template Name parameter until the update is applied.

**Name of the Vulnerable Software and Affected Versions** Octopus versions prior to 3.17.7 **Description** An issue was discovered where an attacker can sign in as the Guest account and export Certificates managed by Octopus, including the private key, when the special Guest user account is granted the CertificateExportPrivateKey permission and Guest Access is enabled for the Octopus Server. **Recommendations** For versions prior to 3.17.7, update to version 3.17.7 or later to resolve the issue. As a temporary workaround, consider disabling Guest Access or revoking the CertificateExportPrivateKey permission from the Guest user account until a patch is available.