Vulnerabilities > Octopus > Medium

DATE CVE VULNERABILITY TITLE RISK
2022-07-15 CVE-2022-29890 Cross-site Scripting vulnerability in Octopus Server
In affected versions of Octopus Server the help sidebar can be customized to include a Cross-Site Scripting payload in the support link.
network
low complexity
octopus CWE-79
6.1
2022-05-04 CVE-2022-1502 Unspecified vulnerability in Octopus Server
Permissions were not properly verified in the API on projects using version control in Git.
network
low complexity
octopus
4.3
2022-02-07 CVE-2022-23184 Open Redirect vulnerability in Octopus Deploy
In affected Octopus Server versions when the server HTTP and HTTPS bindings are configured to localhost, Octopus Server will allow open redirects.
network
low complexity
octopus CWE-601
6.1
2022-01-19 CVE-2021-31821 Cleartext Storage of Sensitive Information vulnerability in Octopus Tentacle
When the Windows Tentacle docker image starts up it logs all the commands that it runs along with the arguments, which writes the Octopus Server API key in plaintext.
local
low complexity
octopus CWE-312
5.5
2021-06-17 CVE-2021-31818 SQL Injection vulnerability in Octopus Server
Affected versions of Octopus Server are prone to an authenticated SQL injection vulnerability in the Events REST API because user supplied data in the API request isn’t parameterised correctly.
network
low complexity
octopus CWE-89
4.3
2021-01-22 CVE-2021-21270 Cleartext Transmission of Sensitive Information vulnerability in Octopus Octopusdsc
OctopusDSC is a PowerShell module with DSC resources that can be used to install and configure an Octopus Deploy Server and Tentacle agent.
local
low complexity
octopus CWE-319
5.5
2020-10-26 CVE-2020-26161 Open Redirect vulnerability in Octopus Deploy
In Octopus Deploy through 2020.4.2, an attacker could redirect users to an external site via a modified HTTP Host header.
network
low complexity
octopus CWE-601
6.1
2020-08-25 CVE-2020-16197 Improper Certificate Validation vulnerability in Octopus Server and Server
An issue was discovered in Octopus Deploy 3.4.
network
low complexity
octopus CWE-295
4.3
2020-06-19 CVE-2020-14470 Information Exposure Through Log Files vulnerability in Octopus Deploy
In Octopus Deploy 2018.8.0 through 2019.x before 2019.12.2, an authenticated user with could trigger a deployment that leaks the Helm Chart repository password.
network
low complexity
octopus CWE-532
6.5
2020-04-28 CVE-2020-12286 Unspecified vulnerability in Octopus Deploy
In Octopus Deploy before 2019.12.9 and 2020 before 2020.1.12, the TaskView permission is not scoped to any dimension.
network
low complexity
octopus
4.3