Octopus ≫ Octopus Server

In affected versions of Octopus Deploy it is possible for a low privileged guest user to interact with extension endpoints.

In affected versions of Octopus Deploy it is possible to discover network details via error message

In affected versions of Octopus Deploy it is possible to upload a zipbomb file as a task which results in Denial of Service

In affected versions of Octopus Deploy it is possible to render user supplied input into the webpage

In affected versions of Octopus Deploy it is possible for a user to introduce code via offline package creation

In affected versions of Octopus Deploy it is possible for a user to view Workerpools without being explicitly assigned permissions to view these items

In affected versions of Octopus Deploy it is possible for a user to view Tagsets without being explicitly assigned permissions to view these items

In affected versions of Octopus Deploy it is possible to upload a zipbomb file as a task which results in Denial of Service

In affected versions of Octopus Server the help sidebar can be customized to include a Cross-Site Scripting payload in the support link. This was initially resolved in advisory 2022-07 however it was identified that the fix could be bypassed in certa...

In affected versions of Octopus Deploy users of certain browsers using AD to sign-in to Octopus Server were able to bypass authentication checks and be redirected to the configured redirect url without any validation.