In Octopus Deploy up to and including 2020.4.2, an attacker could redirect users to an external site via a modified HTTP Host header.
octopus octopus deploy