338 matches found
CVE-2022-29890
In affected versions of Octopus Server the help sidebar can be customized to include a Cross-Site Scripting payload in the support link...
CVE-2022-2828
In affected versions of Octopus Server it is possible to reveal information about teams via the API due to an Insecure Direct Object Reference IDOR vulnerability...
CVE-2022-2721
In affected versions of Octopus Server it is possible for target discovery to print certain values marked as sensitive to log files in plaint-text in when verbose logging is enabled...
CVE-2022-2783
In affected versions of Octopus Server it was identified that a session cookie could be used as the CSRF token...
CVE-2022-2781
In affected versions of Octopus Server it was identified that the same encryption process was used for both encrypting session cookies and variables...
CVE-2022-2782
In affected versions of Octopus Server it is possible for a session token to be valid indefinitely due to improper validation of the session token parameters...
CVE-2022-2720
In affected versions of Octopus Server it was identified that when a sensitive value is a substring of another value, sensitive value masking will only partially work...
CVE-2022-1881
In affected versions of Octopus Server an Insecure Direct Object Reference vulnerability exists where it is possible for a user to download Project Exports from a Project they do not have permissions to access. This vulnerability only impacts projects within the same Space...
CVE-2022-2780
In affected versions of Octopus Server it is possible to use the Git Connectivity test function on the VCS project to initiate an SMB request resulting in the potential for an NTLM relay attack...
CVE-2021-30183
Cleartext storage of sensitive information in multiple versions of Octopus Server where in certain situations when running import or export processes, the password used to encrypt and decrypt sensitive values would be written to the logs in plaintext...
CVE-2021-26556
When Octopus Server is installed using a custom folder location, folder ACLs are not set correctly and could lead to an unprivileged user using DLL side-loading to gain privileged access...
CVE-2021-31816
When configuring Octopus Server if it is configured with an external SQL database, on initial configuration the database password is written to the OctopusServer.txt log file in plaintext...
CVE-2019-19085
A persistent cross-site scripting XSS vulnerability in Octopus Server 3.4.0 through 2019.10.5 allows remote authenticated attackers to inject arbitrary web script or HTML...
CVE-2025-0525
In affected versions of Octopus Server the preview import feature could be leveraged to identify the existence of a target file. This could provide an adversary with information that may aid in further attacks against the server...
CVE-2025-0588
In affected versions of Octopus Server it was possible for a user with sufficient access to set custom headers in all server responses. By submitting a specifically crafted referrer header the user could ensure that all subsequent server responses would return 500 errors rendering the site mostly...
CVE-2025-0513
In affected versions of Octopus Server error messages were handled unsafely on the error page. If an adversary could control any part of the error message they could embed code which may impact the user viewing the error message...
CVE-2025-0588
In affected versions of Octopus Server it was possible for a user with sufficient access to set custom headers in all server responses. By submitting a specifically crafted referrer header the user could ensure that all subsequent server responses would return 500 errors rendering the site mostly...
CVE-2025-0588
In affected versions of Octopus Server it was possible for a user with sufficient access to set custom headers in all server responses. By submitting a specifically crafted referrer header the user could ensure that all subsequent server responses would return 500 errors rendering the site mostly...
CVE-2025-0588
CVE-2025-0588 affects Octopus Server. A user with sufficient access could send crafted referrer headers to enable setting custom headers in all server responses, causing subsequent responses to return 500 errors and rendering the site largely unusable. This creates a denial-of-service state that ...
CVE-2025-0588
In affected versions of Octopus Server it was possible for a user with sufficient access to set custom headers in all server responses. By submitting a specifically crafted referrer header the user could ensure that all subsequent server responses would return 500 errors rendering the site mostly...