Octoprint
CVE-2024-49377
MEDIUM
Severity by source
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Lifecycle Timeline
1Blast Radius
ecosystem impact- 9 pypi packages depend on octoprint (9 direct, 0 indirect)
Ecosystem-wide dependent count for version 1.10.3.
DescriptionNVD
OctoPrint provides a web interface for controlling consumer 3D printers. OctoPrint versions up until and including 1.10.2 contain reflected XSS vulnerabilities in the login dialog and the standalone application key confirmation dialog. An attacker who successfully talked a victim into clicking on a specially crafted login link, or a malicious app running on a victim's computer triggering the application key workflow with specially crafted parameters and then redirecting the victim to the related standalone confirmation dialog could use this to retrieve or modify sensitive configuration settings, interrupt prints or otherwise interact with the OctoPrint instance in a malicious way. The above mentioned specific vulnerabilities of the login dialog and the standalone application key confirmation dialog have been patched in the bugfix release 1.10.3 by individual escaping of the detected locations. A global change throughout all of OctoPrint's templating system with the upcoming 1.11.0 release will handle this further, switching to globally enforced automatic escaping and thus reducing the attack surface in general. The latter will also improve the security of third party plugins. During a transition period, third party plugins will be able to opt into the automatic escaping. With OctoPrint 1.13.0, automatic escaping will be switched over to be enforced even for third party plugins, unless they explicitly opt-out.
AnalysisAI
OctoPrint provides a web interface for controlling consumer 3D printers. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Technical ContextAI
This vulnerability is classified as Cross-Site Scripting (XSS) (CWE-79), which allows attackers to inject malicious scripts into web pages viewed by other users. OctoPrint provides a web interface for controlling consumer 3D printers. OctoPrint versions up until and including 1.10.2 contain reflected XSS vulnerabilities in the login dialog and the standalone application key confirmation dialog. An attacker who successfully talked a victim into clicking on a specially crafted login link, or a malicious app running on a victim's computer triggering the application key workflow with specially crafted parameters and then redirecting the victim to the related standalone confirmation dialog could use this to retrieve or modify sensitive configuration settings, interrupt prints or otherwise interact with the OctoPrint instance in a malicious way. The above mentioned specific vulnerabilities of the login dialog and the standalone application key confirmation dialog have been patched in the bugfix release 1.10.3 by individual escaping of the detected locations. A global change throughout all of OctoPrint's templating system with the upcoming 1.11.0 release will handle this further, switching to globally enforced automatic escaping and thus reducing the attack surface in general. The latter will also improve the security of third party plugins. During a transition period, third party plugins will be able to opt into the automatic escaping. With OctoPrint 1.13.0, automatic escaping will be switched over to be enforced even for third party plugins, unless they explicitly opt-out. Affected products include: Octoprint.
RemediationAI
No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Sanitize all user input, use Content-Security-Policy headers, encode output contextually (HTML, JS, URL). Use frameworks with built-in XSS protection.
OctoPrint provides a web interface for controlling consumer 3D printers. Rated critical severity (CVSS 9.4), this vulner
OctoPrint through 1.3.9 allows remote attackers to obtain sensitive information or cause a denial of service via HTTP re
Improper Privilege Management in GitHub repository octoprint/octoprint prior to 1.8.3. Rated high severity (CVSS 8.8), t
Unverified Password Change in GitHub repository octoprint/octoprint prior to 1.8.3. Rated high severity (CVSS 7.8), this
An attacker can freely brute force username and password and can takeover any account. Rated high severity (CVSS 7.5), t
Cross-site Scripting (XSS) - DOM in GitHub repository octoprint/octoprint prior to 1.8.0. Rated high severity (CVSS 7.5)
The Logging subsystem in OctoPrint before 1.6.0 has incorrect access control because it attempts to manage files that ar
Cross-site Scripting (XSS) - Generic in GitHub repository octoprint/octoprint prior to 1.8.0. Rated medium severity (CVS
OctoPrint before 1.6.0 allows XSS because API error messages include the values of input parameters. Rated medium severi
Failure to Sanitize Special Elements into a Different Plane (Special Element Injection) in GitHub repository octoprint/o
Unrestricted Upload of File with Dangerous Type in GitHub repository octoprint/octoprint prior to 1.8.3. Rated medium se
OctoPrint provides a web interface for controlling consumer 3D printers. Rated medium severity (CVSS 4.8), this vulnerab
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today