CVE-2022-38790

Name of the Vulnerable Software and Affected Versions Weave GitOps Enterprise versions prior to 0.9.0-rc.5

Description The issue is related to a lack of input data sanitization, which can be exploited by a remote attacker to conduct a cross-site scripting (XSS) attack using a specially crafted link. This allows a malicious user to inject a javascript: link in the UI, and when clicked by a victim user, the script will execute with the victim's permission. The exposure appears in the Weave GitOps Enterprise UI via a GitopsCluster dashboard link, where an annotation can be added to a GitopsCluster custom resource.

Recommendations For Weave GitOps Enterprise versions prior to 0.9.0-rc.5, update to version 0.9.0-rc.5 or later to resolve the issue. As a temporary workaround, consider restricting access to the GitopsCluster dashboard link to minimize the risk of exploitation. Avoid adding annotations to GitopsCluster custom resources from untrusted sources until the issue is resolved.