In affected versions of Octopus Deploy it is possible for a low privileged guest user to interact with extension endpoints.

In affected versions of Octopus Deploy it is possible to discover network details via error message

In affected versions of Octopus Deploy it is possible to upload a zipbomb file as a task which results in Denial of Service

In affected versions of Octopus Deploy it is possible to unmask variable secrets using the variable preview function

In affected versions of Octopus Deploy it is possible to render user supplied input into the webpage

In affected versions of Octopus Deploy it is possible for a user to introduce code via offline package creation

In affected versions of Octopus Deploy it is possible for a user to view Workerpools without being explicitly assigned permissions to view these items

In affected versions of Octopus Deploy it is possible for a user to view Tagsets without being explicitly assigned permissions to view these items

In affected versions of Octopus Deploy it is possible to upload a zipbomb file as a task which results in Denial of Service

In affected versions of Octopus Server the help sidebar can be customized to include a Cross-Site Scripting payload in the support link. This was initially resolved in advisory 2022-07 however it was identified that the fix could be bypassed in certain circumstances. A different approach was taken to prevent the possibility of the support link being susceptible to XSS