Vulnerabilities > Octopus > Medium

DATE CVE VULNERABILITY TITLE RISK
2022-10-13 CVE-2022-2828 Authorization Bypass Through User-Controlled Key vulnerability in Octopus Server
In affected versions of Octopus Server it is possible to reveal information about teams via the API due to an Insecure Direct Object Reference (IDOR) vulnerability
network
low complexity
octopus CWE-639
6.5
2022-10-12 CVE-2022-2720 Unspecified vulnerability in Octopus Server
In affected versions of Octopus Server it was identified that when a sensitive value is a substring of another value, sensitive value masking will only partially work.
network
low complexity
octopus
5.3
2022-10-06 CVE-2022-2781 Use of a Broken or Risky Cryptographic Algorithm vulnerability in Octopus Server
In affected versions of Octopus Server it was identified that the same encryption process was used for both encrypting session cookies and variables.
network
low complexity
octopus CWE-327
5.3
2022-10-06 CVE-2022-2783 Cross-Site Request Forgery (CSRF) vulnerability in Octopus Server
In affected versions of Octopus Server it was identified that a session cookie could be used as the CSRF token
network
low complexity
octopus CWE-352
5.3
2022-09-28 CVE-2022-2760 Information Exposure Through an Error Message vulnerability in Octopus Server
In affected versions of Octopus Deploy it is possible to reveal the Space ID of spaces that the user does not have access to view in an error message when a resource is part of another Space.
network
low complexity
octopus CWE-209
4.3
2022-08-19 CVE-2022-1901 Improper Privilege Management vulnerability in Octopus Server
In affected versions of Octopus Deploy it is possible to unmask sensitive variables by using variable preview.
network
low complexity
octopus CWE-269
5.3
2022-06-13 CVE-2022-2013 Unspecified vulnerability in Octopus Deploy
In Octopus Server after version 2022.1.1495 and before 2022.1.2647 if private spaces were enabled via the experimental feature flag all new users would have access to the Script Console within their private space.
network
octopus
4.3
2022-05-19 CVE-2022-1670 Unspecified vulnerability in Octopus Server
When generating a user invitation code in Octopus Server, the validity of this code can be set for a specific number of users.
network
low complexity
octopus
5.0
2022-05-04 CVE-2022-1502 Unspecified vulnerability in Octopus Server
Permissions were not properly verified in the API on projects using version control in Git.
network
low complexity
octopus
4.3
2022-02-07 CVE-2022-23184 Open Redirect vulnerability in Octopus Deploy
In affected Octopus Server versions when the server HTTP and HTTPS bindings are configured to localhost, Octopus Server will allow open redirects.
network
octopus CWE-601
5.8