VYPR

Octopusdeploy

by Octopus

Source repositories

CVEs (59)

  • CVE-2017-16810MedNov 14, 2017
    risk 0.35cvss 5.4epss 0.01

    Cross-site scripting (XSS) vulnerability in the All Variables tab in Octopus Deploy 3.4.0-3.13.6 (fixed in 3.13.7) allows remote attackers to inject arbitrary web script or HTML via the Variable Set Name parameter.

  • CVE-2017-16801MedNov 13, 2017
    risk 0.35cvss 5.4epss 0.01

    Cross-site scripting (XSS) vulnerability in Octopus Deploy 3.7.0-3.17.13 (fixed in 3.17.14) allows remote authenticated users to inject arbitrary web script or HTML via the Step Template Name parameter.

  • CVE-2025-0589MedFeb 11, 2025
    risk 0.34cvss 5.3epss 0.00

    In affected versions of Octopus Deploy where customers are using Active Directory for authentication it was possible for an unauthenticated user to make an API request against two endpoints which would retrieve some data from the associated Active Directory. The requests when…

  • CVE-2022-4870MedMay 18, 2023
    risk 0.34cvss 5.3epss 0.00

    In affected versions of Octopus Deploy it is possible to discover network details via error message

  • CVE-2023-2247MedMay 2, 2023
    risk 0.34cvss 5.3epss 0.00

    In affected versions of Octopus Deploy it is possible to unmask variable secrets using the variable preview function

  • CVE-2022-2507MedApr 19, 2023
    risk 0.34cvss 5.3epss 0.00

    In affected versions of Octopus Deploy it is possible to render user supplied input into the webpage

  • CVE-2022-1901MedAug 19, 2022
    risk 0.34cvss 5.3epss 0.00

    In affected versions of Octopus Deploy it is possible to unmask sensitive variables by using variable preview.

  • CVE-2022-30532MedJul 19, 2022
    risk 0.34cvss 5.3epss 0.00

    In affected versions of Octopus Deploy, there is no logging of changes to artifacts within Octopus Deploy.

  • CVE-2019-19375MedNov 28, 2019
    risk 0.34cvss 5.3epss 0.00

    In Octopus Deploy before 2019.10.7, in a configuration where SSL offloading is enabled, the CSRF cookie was sometimes sent without the secure attribute. (The fix for this was backported to LTS versions 2019.6.14 and 2019.9.8.)

  • CVE-2019-14525MedAug 5, 2019
    risk 0.32cvss 4.9epss 0.02

    In Octopus Deploy 2019.4.0 through 2019.6.x before 2019.6.6, and 2019.7.x before 2019.7.6, an authenticated system administrator is able to view sensitive values by visiting a server configuration page or making an API call.

  • CVE-2023-4509MedApr 18, 2024
    risk 0.28cvss 4.3epss 0.00

    It is possible for an API key to be logged in clear text in the audit log file after an invalid login attempt.

  • CVE-2022-2259MedMar 13, 2023
    risk 0.28cvss 4.3epss 0.00

    In affected versions of Octopus Deploy it is possible for a user to view Workerpools without being explicitly assigned permissions to view these items

  • CVE-2022-2258MedMar 13, 2023
    risk 0.28cvss 4.3epss 0.01

    In affected versions of Octopus Deploy it is possible for a user to view Tagsets without being explicitly assigned permissions to view these items

  • CVE-2022-2760MedSep 28, 2022
    risk 0.28cvss 4.3epss 0.00

    In affected versions of Octopus Deploy it is possible to reveal the Space ID of spaces that the user does not have access to view in an error message when a resource is part of another Space.

  • CVE-2020-16197MedAug 25, 2020
    risk 0.28cvss 4.3epss 0.01

    An issue was discovered in Octopus Deploy 3.4. A deployment target can be configured with an Account or Certificate that is outside the scope of the deployment target. An authorised user can potentially use a certificate that they are not in scope to use. An authorised user is…

  • CVE-2020-12286MedApr 28, 2020
    risk 0.28cvss 4.3epss 0.01

    In Octopus Deploy before 2019.12.9 and 2020 before 2020.1.12, the TaskView permission is not scoped to any dimension. For example, a scoped user who is scoped to only one tenant can view server tasks scoped to any other tenant.

  • CVE-2019-19084MedNov 18, 2019
    risk 0.28cvss 4.3epss 0.01

    In Octopus Deploy 3.3.0 through 2019.10.4, an authenticated user with PackagePush permission to upload packages could upload a maliciously crafted package, triggering an exception that exposes underlying operating system details.

  • CVE-2019-15698MedAug 27, 2019
    risk 0.28cvss 4.3epss 0.01

    In Octopus Deploy 2019.7.3 through 2019.7.9, in certain circumstances, an authenticated user with VariableView permissions could view sensitive values. This is fixed in 2019.7.10.

  • CVE-2026-0704Feb 25, 2026
    risk 0.00cvss epss 0.00

    In affected version of Octopus Deploy it was possible to remove files and/or contents of files on the host using an API endpoint. The field lacked validation which could potentially result in ways to circumvent expected workflows.

Page 3 of 3