CVE-2023-4509

It is possible for an API key to be logged in clear text in the audit log file after an invalid login attempt.

CVE-2024-9194

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Linux and Microsoft Windows Octopus Server on Windows, Linux allows SQL Injection.This issue affects Octopus Server: from 2024.1.0 before 2024.1.13038, from 2024.2.0 before 2024.2.9482, from 2024.3...

CVE-2024-4456

In affected versions of Octopus Server with certain access levels it was possible to embed a Cross-Site Scripting payload on the audit page.

CVE-2024-4226

It was identified that in certain versions of Octopus Server, that a user created with no permissions could view all users, user roles and permissions. This functionality was removed in versions of Octopus Server after the fixed versions listed.

CVE-2024-4811

In affected versions of Octopus Server under certain conditions, a user with specific role assignments can access restricted project artifacts.

CVE-2024-6972

In affected versions of Octopus Server under certain circumstances it is possible for sensitive variables to be printed in the task log in clear-text.

CVE-2024-7998

In affected versions of Octopus Server OIDC cookies were using the wrong expiration time which could result in them using the maximum lifespan.

CVE-2024-1656

Affected versions of Octopus Server had a weak content security policy.

CVE-2024-2975

A race condition was identified through which privilege escalation was possible in certain configurations.