CVE-2025-0589

MEDIUM Year: 2025
Weakness Type
CWE-648
View all →

Vulnerability Description

In affected versions of Octopus Deploy where customers are using Active Directory for authentication it was possible for an unauthenticated user to make an API request against two endpoints which would retrieve some data from the associated Active Directory. The requests when crafted correctly would return specific information from user profiles (Email address/UPN and Display name) from one endpoint and group information ( Group ID and Display name) from the other. This vulnerability does not expose data within the Octopus Server product itself.

Related Vulnerabilities

CVE-2022-2023

CRITICAL
CVSS:10.0(Critical)

Incorrect Use of Privileged APIs in GitHub repository polonel/trudesk prior to 1.2.4.

CWE-6482022

CVE-2019-1010178

CRITICAL
CVSS:9.8(Critical)

Fred MODX Revolution < 1.0.0-beta5 is affected by: Incorrect Access Control - CWE-648. The impact is: Remote Code Execution. The component is: assets/components/fred/web/elfinder/connector.php. The at...

CWE-6482019

CVE-2023-4972

CRITICAL
CVSS:9.8(Critical)

Incorrect Use of Privileged APIs vulnerability in Yepas Digital Yepas allows Collect Data as Provided by Users.This issue affects Digital Yepas: before 1.0.1.

CWE-6482023

CVE-2024-11068

CRITICAL
CVSS:9.8(Critical)

The D-Link DSL6740C modem has an Incorrect Use of Privileged APIs vulnerability, allowing unauthenticated remote attackers to modify any user’s password by leveraging the API, thereby granting access ...

CWE-6482024

CVE-2024-37018

CRITICAL
CVSS:9.1(Critical)

The OpenDaylight 0.15.3 controller allows topology poisoning via API requests because an application can manipulate the path that is taken by discovery packets.

CWE-6482024

CVE-2022-20956

HIGH
CVSS:8.8(High)

A vulnerability in the web-based management interface of Cisco Identity Services Engine (ISE) could allow an authenticated, remote attacker to bypass authorization and access system files. This vulner...

CWE-6482022