PT-2017-14570 · Octopus Deploy · Octopus Deploy

Michaelnoonan

Published

2017-11-13

Updated

2017-12-01

CVE-2017-16801

CVSS v3.1

5.4

Medium

Vector

AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Name of the Vulnerable Software and Affected Versions Octopus Deploy versions 3.7.0 through 3.17.13

Description A cross-site scripting (XSS) issue allows remote authenticated users to inject arbitrary web script or HTML via the Step Template Name parameter. This could potentially lead to unauthorized actions on the affected system.

Recommendations For versions 3.7.0 through 3.17.13, update to version 3.17.14 to resolve the issue. As a temporary workaround, consider restricting access to the Step Template Name parameter until the update is applied.

Fix

XSS

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-79

Related Identifiers

CVE-2017-16801

Affected Products

Octopus Deploy

PT-2017-14570 · Octopus Deploy · Octopus Deploy

CVE-2017-16801

Weakness Enumeration

Related Identifiers

Affected Products

References · 3