CVE-2022-4009
https://notcve.org/view.php?id=CVE-2022-4009
In affected versions of Octopus Deploy it is possible for a user to introduce code via offline package creation • https://advisories.octopus.com/post/2023/sa2023-05 • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') •
CVE-2022-2259
https://notcve.org/view.php?id=CVE-2022-2259
In affected versions of Octopus Deploy it is possible for a user to view Workerpools without being explicitly assigned permissions to view these items • https://advisories.octopus.com/post/2023/sa2023-04 •
CVE-2022-2258
https://notcve.org/view.php?id=CVE-2022-2258
In affected versions of Octopus Deploy it is possible for a user to view Tagsets without being explicitly assigned permissions to view these items • https://advisories.octopus.com/post/2023/sa2023-03 •
CVE-2022-2883
https://notcve.org/view.php?id=CVE-2022-2883
In affected versions of Octopus Deploy it is possible to upload a zipbomb file as a task which results in Denial of Service • https://advisories.octopus.com/post/2023/sa2023-02 • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVE-2022-4898
https://notcve.org/view.php?id=CVE-2022-4898
In affected versions of Octopus Server the help sidebar can be customized to include a Cross-Site Scripting payload in the support link. This was initially resolved in advisory 2022-07 however it was identified that the fix could be bypassed in certain circumstances. A different approach was taken to prevent the possibility of the support link being susceptible to XSS En las versiones afectadas de Octopus Server, la barra lateral de ayuda se puede personalizar para incluir un payload de Cross-Site Scripting en el enlace de soporte. Esto se resolvió inicialmente en el aviso 2022-07, sin embargo, se identificó que la solución podría omitirse en determinadas circunstancias. Se adoptó un enfoque diferente para evitar la posibilidad de que el enlace de soporte sea susceptible a XSS. • https://advisories.octopus.com/post/2022/sa2023-01 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •