Vulnerabilities > Octopus > Medium

DATE CVE VULNERABILITY TITLE RISK
2018-06-26 CVE-2018-12884 Improper Privilege Management vulnerability in Octopus Deploy 3.0
In Octopus Deploy 3.0 onwards (before 2018.6.7), an authenticated user with incorrect permissions may be able to create Accounts under the Infrastructure menu.
network
low complexity
octopus CWE-269
6.5
2018-05-01 CVE-2018-10581 Information Exposure vulnerability in Octopus Deploy
In Octopus Deploy 3.4.x before 2018.4.7, an authenticated user is able to view/update/save variable values within the Tenant Variables area for Environments that do not exist within their associated Team scoping.
network
low complexity
octopus CWE-200
5.4
2018-03-27 CVE-2018-9039 Missing Authorization vulnerability in Octopus Deploy
In Octopus Deploy 2.0 and later before 2018.3.7, an authenticated user, with variable edit permissions, can scope some variables to targets greater than their permissions should allow.
network
low complexity
octopus CWE-862
6.5
2017-11-14 CVE-2017-16810 Cross-site Scripting vulnerability in Octopus Deploy
Cross-site scripting (XSS) vulnerability in the All Variables tab in Octopus Deploy 3.4.0-3.13.6 (fixed in 3.13.7) allows remote attackers to inject arbitrary web script or HTML via the Variable Set Name parameter.
network
low complexity
octopus CWE-79
5.4
2017-11-13 CVE-2017-16801 Cross-site Scripting vulnerability in Octopus Deploy
Cross-site scripting (XSS) vulnerability in Octopus Deploy 3.7.0-3.17.13 (fixed in 3.17.14) allows remote authenticated users to inject arbitrary web script or HTML via the Step Template Name parameter.
network
low complexity
octopus CWE-79
5.4
2017-10-19 CVE-2017-15611 Incorrect Permission Assignment for Critical Resource vulnerability in Octopus Deploy
In Octopus before 3.17.7, an authenticated user who was explicitly granted the permission to invite new users (aka UserInvite) can invite users to teams with escalated privileges.
network
low complexity
octopus CWE-732
6.5
2017-10-19 CVE-2017-15610 Information Exposure vulnerability in Octopus Deploy
An issue was discovered in Octopus before 3.17.7.
network
low complexity
octopus CWE-200
6.5
2017-07-17 CVE-2017-11348 Path Traversal vulnerability in Octopus Deploy and Octopus Server
In Octopus Deploy 3.x before 3.15.4, an authenticated user with PackagePush permission to upload packages could upload a maliciously crafted NuGet package, potentially overwriting other packages or modifying system files.
network
low complexity
octopus CWE-22
5.7