{"id":"CVE-2022-38790","details":"Weave GitOps Enterprise before 0.9.0-rc.5 has a cross-site scripting (XSS) bug allowing a malicious user to inject a javascript: link in the UI. When clicked by a victim user, the script will execute with the victim's permission. The exposure appears in Weave GitOps Enterprise UI via a GitopsCluster dashboard link. An annotation can be added to a GitopsCluster custom resource.","modified":"2026-04-10T04:50:10.500004Z","published":"2022-09-01T13:15:09.070Z","references":[{"type":"ADVISORY","url":"https://docs.gitops.weave.works/docs/cluster-management/getting-started/#profiles-and-clusters"},{"type":"ADVISORY","url":"https://docs.gitops.weave.works/docs/intro"},{"type":"ADVISORY","url":"https://www.weave.works/product/gitops-enterprise/"},{"type":"FIX","url":"https://docs.gitops.weave.works/security/cve/enterprise/CVE-2022-38790/index.html"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/weaveworks/weave-gitops","events":[{"introduced":"0"},{"fixed":"5283dd575efb880947e3973ea57e28cbc897b098"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"0.9.0"}]}}],"versions":["v0.0.1","v0.0.2","v0.0.3","v0.0.4","v0.0.5","v0.1.0","v0.1.0-rc.1","v0.1.0-rc.2","v0.1.0-rc0","v0.2.0","v0.2.1","v0.2.2","v0.2.2-rc","v0.2.3","v0.2.4","v0.2.5","v0.3.0","v0.3.1","v0.3.2","v0.3.2-rc","v0.3.2-rc1","v0.3.3","v0.3.3-rc0","v0.4.0","v0.4.0-rc0","v0.4.1","v0.4.1-rc0","v0.5.0","v0.5.0-rc0.4.1","v0.5.0-rc1","v0.5.0-rc2","v0.5.1-rc0","v0.5.1-rc0.5.0","v0.5.1-rc1","v0.5.1-rc2","v0.5.1-rc3","v0.6.0","v0.6.0-rc0","v0.6.0-rc1","v0.6.1","v0.6.1-rc1","v0.6.2","v0.7.0-rc1","v0.7.0-rc11","v0.7.0-rc12","v0.7.0-rc2","v0.7.0-rc3","v0.7.0-rc4","v0.7.0-rc5","v0.7.0-rc7","v0.7.0-rc8","v0.7.0-rc9","v0.8.1-rc.2"],"database_specific":{"unresolved_ranges":[{"events":[{"introduced":"0"},{"last_affected":"0.9.0-rc1"}]},{"events":[{"introduced":"0"},{"last_affected":"0.9.0-rc2"}]},{"events":[{"introduced":"0"},{"last_affected":"0.9.0-rc3"}]}],"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-38790.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"}]}