Octopus: >> Octopus Server >> 2019.11.2 Security Vulnerabilities
In affected Microsoft Windows versions of Octopus Deploy, the server can be coerced into sending server-side requests that contain authentication material allowing a suitably positioned attacker to compromise the account running Octopus Server and potentially the host infrastructure itself.
CVSS Score
8.8
EPSS Score
0.001
Published
2025-04-10
Affected versions of Octopus Server had a weak content security policy.
CVSS Score
2.6
EPSS Score
0.001
Published
2024-09-11
In affected versions of Octopus Server with certain access levels it was possible to embed a Cross-Site Scripting payload on the audit page.
CVSS Score
4.1
EPSS Score
0.002
Published
2024-05-08
It is possible for an API key to be logged in clear text in the audit log file after an invalid login attempt.
CVSS Score
4.3
EPSS Score
0.001
Published
2024-04-18
A race condition was identified through which privilege escalation was possible in certain configurations.
CVSS Score
8.8
EPSS Score
0.003
Published
2024-04-09
In affected versions of Octopus Deploy it is possible for a low privileged guest user to craft a request that allows enumeration/recon of an environment.
CVSS Score
5.5
EPSS Score
0.001
Published
2023-08-02
In affected versions of Octopus Deploy it is possible for a low privileged guest user to interact with extension endpoints.
CVSS Score
5.5
EPSS Score
0.001
Published
2023-08-02
In affected versions of Octopus Deploy it is possible to discover network details via error message
CVSS Score
5.3
EPSS Score
0.002
Published
2023-05-18
In affected versions of Octopus Deploy it is possible to upload a zipbomb file as a task which results in Denial of Service
CVSS Score
5.5
EPSS Score
0.0
Published
2023-05-10
In affected versions of Octopus Deploy it is possible to render user supplied input into the webpage
CVSS Score
5.3
EPSS Score
0.002
Published
2023-04-19
Page 1