Vulnerabilities > Octopus > Medium
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2022-10-13 | CVE-2022-2828 | Authorization Bypass Through User-Controlled Key vulnerability in Octopus Server In affected versions of Octopus Server it is possible to reveal information about teams via the API due to an Insecure Direct Object Reference (IDOR) vulnerability | 6.5 |
| 2022-10-12 | CVE-2022-2720 | Unspecified vulnerability in Octopus Server In affected versions of Octopus Server it was identified that when a sensitive value is a substring of another value, sensitive value masking will only partially work. | 5.3 |
| 2022-10-06 | CVE-2022-2781 | Use of a Broken or Risky Cryptographic Algorithm vulnerability in Octopus Server In affected versions of Octopus Server it was identified that the same encryption process was used for both encrypting session cookies and variables. | 5.3 |
| 2022-10-06 | CVE-2022-2783 | Cross-Site Request Forgery (CSRF) vulnerability in Octopus Server In affected versions of Octopus Server it was identified that a session cookie could be used as the CSRF token | 5.3 |
| 2022-09-28 | CVE-2022-2760 | Information Exposure Through an Error Message vulnerability in Octopus Server In affected versions of Octopus Deploy it is possible to reveal the Space ID of spaces that the user does not have access to view in an error message when a resource is part of another Space. | 4.3 |
| 2022-08-19 | CVE-2022-1901 | Improper Privilege Management vulnerability in Octopus Server In affected versions of Octopus Deploy it is possible to unmask sensitive variables by using variable preview. | 5.3 |
| 2022-06-13 | CVE-2022-2013 | Unspecified vulnerability in Octopus Deploy In Octopus Server after version 2022.1.1495 and before 2022.1.2647 if private spaces were enabled via the experimental feature flag all new users would have access to the Script Console within their private space. network octopus | 4.3 |
| 2022-05-19 | CVE-2022-1670 | Unspecified vulnerability in Octopus Server When generating a user invitation code in Octopus Server, the validity of this code can be set for a specific number of users. | 5.0 |
| 2022-05-04 | CVE-2022-1502 | Unspecified vulnerability in Octopus Server Permissions were not properly verified in the API on projects using version control in Git. | 4.3 |
| 2022-02-07 | CVE-2022-23184 | Open Redirect vulnerability in Octopus Deploy In affected Octopus Server versions when the server HTTP and HTTPS bindings are configured to localhost, Octopus Server will allow open redirects. | 5.8 |