CVE-2024-49377: OctoPrint Vulnerable to Reflected XSS in Jinja2 Templates
(updated )
OctoPrint versions up until and including 1.10.2 are vulnerable to reflected XSS vulnerabilities through its Jinja2 template system, as this is not configured to enforce automatic escaping. This affects, among other places, the login dialog and the standalone application key confirmation dialog.
An attacker who successfully talked a victim into clicking on or through a malicious third party app successfully redirected a victim to a specially crafted link could use this to retrieve or modify sensitive configuration settings, interrupt prints or otherwise interact with the OctoPrint instance in a malicious way.
References
- github.com/OctoPrint/OctoPrint
- github.com/OctoPrint/OctoPrint/commit/b8a6b0a75202edac3bb142a8e4f9041a0b6825bf
- github.com/OctoPrint/OctoPrint/security/advisories/GHSA-xvxq-g8hw-fx4g
- github.com/advisories/GHSA-xvxq-g8hw-fx4g
- github.com/pypa/advisory-database/tree/main/vulns/octoprint/PYSEC-2024-201.yaml
- nvd.nist.gov/vuln/detail/CVE-2024-49377
Code Behaviors & Features
Detect and mitigate CVE-2024-49377 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →