Vulnerabilities > Octopus > Medium
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2023-08-02 | CVE-2022-2416 | Server-Side Request Forgery (SSRF) vulnerability in Octopus Server In affected versions of Octopus Deploy it is possible for a low privileged guest user to craft a request that allows enumeration/recon of an environment. | 4.3 |
| 2023-08-02 | CVE-2022-2346 | Unspecified vulnerability in Octopus Server In affected versions of Octopus Deploy it is possible for a low privileged guest user to interact with extension endpoints. | 4.3 |
| 2023-05-18 | CVE-2022-4870 | Information Exposure Through an Error Message vulnerability in Octopus Server In affected versions of Octopus Deploy it is possible to discover network details via error message | 5.3 |
| 2023-05-10 | CVE-2022-4008 | Resource Exhaustion vulnerability in Octopus Server In affected versions of Octopus Deploy it is possible to upload a zipbomb file as a task which results in Denial of Service | 5.5 |
| 2023-05-02 | CVE-2023-2247 | Unspecified vulnerability in Octopus Deploy In affected versions of Octopus Deploy it is possible to unmask variable secrets using the variable preview function | 5.3 |
| 2023-03-13 | CVE-2022-2258 | Unspecified vulnerability in Octopus Server In affected versions of Octopus Deploy it is possible for a user to view Tagsets without being explicitly assigned permissions to view these items | 4.3 |
| 2023-03-13 | CVE-2022-2259 | Unspecified vulnerability in Octopus Server In affected versions of Octopus Deploy it is possible for a user to view Workerpools without being explicitly assigned permissions to view these items | 4.3 |
| 2023-01-31 | CVE-2022-4898 | Cross-site Scripting vulnerability in Octopus Server In affected versions of Octopus Server the help sidebar can be customized to include a Cross-Site Scripting payload in the support link. | 5.4 |
| 2023-01-03 | CVE-2022-3614 | Open Redirect vulnerability in Octopus Server In affected versions of Octopus Deploy users of certain browsers using AD to sign-in to Octopus Server were able to bypass authentication checks and be redirected to the configured redirect url without any validation. | 6.1 |
| 2022-10-27 | CVE-2022-2508 | Information Exposure Through an Error Message vulnerability in Octopus Server In affected versions of Octopus Server it is possible to reveal the existence of resources in a space that the user does not have access to due to verbose error messaging. | 5.3 |