Vulnerabilities > Octopus > Octopus Server
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2022-07-15 | CVE-2022-1881 | Authorization Bypass Through User-Controlled Key vulnerability in Octopus Server In affected versions of Octopus Server an Insecure Direct Object Reference vulnerability exists where it is possible for a user to download Project Exports from a Project they do not have permissions to access. | 5.3 |
| 2022-07-15 | CVE-2022-29890 | Cross-site Scripting vulnerability in Octopus Server In affected versions of Octopus Server the help sidebar can be customized to include a Cross-Site Scripting payload in the support link. | 6.1 |
| 2022-05-19 | CVE-2022-1670 | Unspecified vulnerability in Octopus Server When generating a user invitation code in Octopus Server, the validity of this code can be set for a specific number of users. | 7.5 |
| 2022-02-07 | CVE-2022-23184 | Open Redirect vulnerability in Octopus Deploy In affected Octopus Server versions when the server HTTP and HTTPS bindings are configured to localhost, Octopus Server will allow open redirects. | 6.1 |
| 2021-10-07 | CVE-2021-26556 | Untrusted Search Path vulnerability in Octopus Deploy When Octopus Server is installed using a custom folder location, folder ACLs are not set correctly and could lead to an unprivileged user using DLL side-loading to gain privileged access. | 7.8 |
| 2021-08-18 | CVE-2021-31820 | Cleartext Storage of Sensitive Information vulnerability in Octopus Server In Octopus Server after version 2018.8.2 if the Octopus Server Web Request Proxy is configured with authentication, the password is shown in plaintext in the UI. | 7.5 |
| 2020-08-25 | CVE-2020-16197 | Improper Certificate Validation vulnerability in Octopus Server and Server An issue was discovered in Octopus Deploy 3.4. | 4.3 |
| 2019-08-27 | CVE-2019-15698 | Unspecified vulnerability in Octopus Server In Octopus Deploy 2019.7.3 through 2019.7.9, in certain circumstances, an authenticated user with VariableView permissions could view sensitive values. | 4.3 |
| 2019-08-05 | CVE-2019-14525 | Unspecified vulnerability in Octopus Deploy and Octopus Server In Octopus Deploy 2019.4.0 through 2019.6.x before 2019.6.6, and 2019.7.x before 2019.7.6, an authenticated system administrator is able to view sensitive values by visiting a server configuration page or making an API call. | 4.9 |
| 2019-05-01 | CVE-2019-11632 | Improper Privilege Management vulnerability in Octopus Deploy and Octopus Server In Octopus Deploy 2019.1.0 through 2019.3.1 and 2019.4.0 through 2019.4.5, an authenticated user with the VariableViewUnscoped or VariableEditUnscoped permission scoped to a specific project could view or edit unscoped variables from a different project. | 8.1 |