Marco Delai

**Name of the Vulnerable Software and Affected Versions** Thycotic Secret Server versions 8.6.x through 8.8.x before 8.8.000005 **Description** A cross-site scripting (XSS) issue exists in the basic dashboard, allowing remote authenticated users to inject arbitrary web script or HTML via a password entry. This occurs because the password entry is not properly handled when toggling the password mask. **Recommendations** For Thycotic Secret Server versions 8.6.x through 8.8.x before 8.8.000005, update to version 8.8.000005 or later to resolve the issue. As a temporary workaround, consider restricting access to the basic dashboard to minimize the risk of exploitation. Avoid using the password entry feature in the affected dashboard until the issue is resolved.