In affected versions of Octopus Server with certain access levels it was possible to embed a Cross-Site Scripting payload on the audit page.