Skip to main content

Ssti CVE-2023-41047

MEDIUM
Improper Neutralization of Special Elements Used in a Template Engine (CWE-1336)
2023-10-09 security-advisories@github.com
6.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.5 MEDIUM
AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
High
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
CVE Published
Oct 09, 2023 - 16:15 nvd
MEDIUM 6.5

DescriptionNVD

OctoPrint is a web interface for 3D printers. OctoPrint versions up until and including 1.9.2 contain a vulnerability that allows malicious admins to configure a specially crafted GCODE script that will allow code execution during rendering of that script. An attacker might use this to extract data managed by OctoPrint, or manipulate data managed by OctoPrint, as well as execute arbitrary commands with the rights of the OctoPrint process on the server system. OctoPrint versions from 1.9.3 onward have been patched. Administrators of OctoPrint instances are advised to make sure they can trust all other administrators on their instance and to also not blindly configure arbitrary GCODE scripts found online or provided to them by third parties.

AnalysisAI

OctoPrint is a web interface for 3D printers. Rated medium severity (CVSS 6.5), this vulnerability is low attack complexity.

Technical ContextAI

This vulnerability is classified under CWE-1336. OctoPrint is a web interface for 3D printers. OctoPrint versions up until and including 1.9.2 contain a vulnerability that allows malicious admins to configure a specially crafted GCODE script that will allow code execution during rendering of that script. An attacker might use this to extract data managed by OctoPrint, or manipulate data managed by OctoPrint, as well as execute arbitrary commands with the rights of the OctoPrint process on the server system. OctoPrint versions from 1.9.3 onward have been patched. Administrators of OctoPrint instances are advised to make sure they can trust all other administrators on their instance and to also not blindly configure arbitrary GCODE scripts found online or provided to them by third parties. Affected products include: Octoprint.

RemediationAI

A vendor patch is available. Apply the latest security update as soon as possible. Apply vendor patches when available. Implement network segmentation and monitoring as interim mitigations.

More in Ssti

View all
CVE-2025-47916 CRITICAL POC
10.0 May 16

Invision Community 5.0.0 through 5.0.6 contains an unauthenticated remote code execution vulnerability in the template e

CVE-2024-6386 CRITICAL POC
9.9 Aug 21

Remote code execution in the WPML WordPress multilingual plugin (versions up to and including 4.6.12) allows Contributor

CVE-2024-23692 CRITICAL POC
9.8 May 31

Rejetto HTTP File Server, up to and including version 2.3m, is vulnerable to a template injection vulnerability. Rated c

CVE-2025-23211 CRITICAL POC
9.9 Jan 28

Tandoor Recipes is an application for managing recipes, planning meals, and building shopping lists. Rated critical seve

CVE-2024-32651 CRITICAL POC
10.0 Apr 26

changedetection.io is an open source web page change detection, website watcher, restock monitor and notification servic

CVE-2024-4040 CRITICAL POC
10.0 Apr 22

A server side template injection vulnerability in CrushFTP in all versions before 10.7.1 and 11.1.0 on all platforms all

CVE-2024-24724 CRITICAL POC
9.8 Apr 03

Gibbon through 26.0.00 allows /modules/School%20Admin/messengerSettings.php Server Side Template Injection leading to Re

CVE-2026-28496 CRITICAL POC
9.4 Jun 23

Server-side template injection in FOSSBilling versions prior to 0.8.0 allows authenticated administrators to execute arb

CVE-2025-1040 HIGH POC
8.8 Mar 20

AutoGPT versions 0.3.4 and earlier are vulnerable to a Server-Side Template Injection (SSTI) that could lead to Remote C

CVE-2023-6709 HIGH POC
8.8 Dec 12

Improper Neutralization of Special Elements Used in a Template Engine in GitHub repository mlflow/mlflow prior to 2.9.2.

CVE-2022-0896 HIGH POC
8.8 Mar 09

Improper Neutralization of Special Elements Used in a Template Engine in GitHub repository microweber/microweber prior t

CVE-2024-54954 HIGH POC
8.0 Feb 10

OneBlog v2.3.6 was discovered to contain a template injection vulnerability via the template management department. Rate

Share

CVE-2023-41047 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy