Jacopotediosi

**Name of the Vulnerable Software and Affected Versions** OctoPrint versions up to and including 1.11.1 **Description** The issue affects a web interface for controlling consumer 3D printers, allowing an attacker with the `FILE UPLOAD` permission to exfiltrate files from the host by moving them into the upload folder, from where they can be downloaded. **Recommendations** For versions up to and including 1.11.1, update to version 1.11.2 to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** OctoPrint versions up to and including 1.11.1 **Description** The issue allows any unauthenticated attacker to send a manipulated broken multipart/form-data request to OctoPrint, making the web server component become unresponsive. This can be triggered by a broken request lacking an end boundary to any of OctoPrint's endpoints implemented through the `octoprint.server.util.tornado.UploadStorageFallbackHandler` request handler. The request handler will get stuck in an endless busy loop, looking for a part of the request that will never come, effectively blocking the whole web server due to Tornado being single-threaded. **Recommendations** For versions up to and including 1.11.1, update to version 1.11.2 to resolve the issue. As a temporary workaround, consider restricting access to endpoints that use the `octoprint.server.util.tornado.UploadStorageFallbackHandler` request handler until the update can be applied.

**Name of the Vulnerable Software and Affected Versions** OctoPrint versions up to and including 1.10.3 **Description** OctoPrint provides a web interface for controlling consumer 3D printers. The issue allows an attacker to bypass the login redirect and directly access the rendered HTML of certain frontend pages. The primary risk lies in potential future modifications to the codebase that might incorrectly rely on the vulnerable internal functions for authentication checks, leading to security issues. **Recommendations** For versions up to and including 1.10.3, update to version 1.11.0 to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** OctoPrint versions up to and including 1.10.2 **Description** OctoPrint provides a web interface for controlling consumer 3D printers. The issue allows an attacker that has gained temporary control over an authenticated victim's OctoPrint browser session to retrieve, recreate, or delete the user's or the global API key without having to reauthenticate by re-entering the user account's password. An attacker could use a stolen API key to access OctoPrint through its API or disrupt workflows depending on the API key they deleted. **Recommendations** For versions up to and including 1.10.2, upgrade to version 1.10.3 to patch the vulnerability. As a temporary workaround, consider restricting access to the API until the issue is resolved. Avoid using the API key in sensitive operations until the upgrade is applied.

**Name of the Vulnerable Software and Affected Versions** OctoPrint versions up to and including 1.10.2 **Description** OctoPrint provides a web interface for controlling consumer 3D printers. The software contains reflected XSS vulnerabilities in the login dialog and the standalone application key confirmation dialog. An attacker could use this to retrieve or modify sensitive configuration settings, interrupt prints, or otherwise interact with the OctoPrint instance in a malicious way by tricking a victim into clicking on a specially crafted login link or triggering the application key workflow with specially crafted parameters. **Recommendations** For versions up to and including 1.10.2, update to version 1.10.3 or later to patch the specific vulnerabilities of the login dialog and the standalone application key confirmation dialog. As a temporary workaround, consider restricting access to the login dialog and the standalone application key confirmation dialog until a patch is available. With the release of OctoPrint 1.11.0, switch to globally enforced automatic escaping to reduce the attack surface in general. For third-party plugins, opt into the automatic escaping during the transition period to improve security. Starting with OctoPrint 1.13.0, ensure that automatic escaping is enforced for all plugins, unless they explicitly opt-out.

**Name of the Vulnerable Software and Affected Versions** OctoPrint versions up to and including 1.10.0 **Description** OctoPrint provides a web interface for controlling consumer 3D printers. The issue allows an unauthenticated attacker to bypass authentication if the `autologinLocal` option is enabled within `config.yaml`, even if they come from networks that are not configured as `localNetworks`, by spoofing their IP via the `X-Forwarded-For` header. This vulnerability does not have any impact if autologin is not enabled. **Recommendations** For OctoPrint versions up to and including 1.10.0, update to version 1.10.1 to resolve the issue. As a temporary workaround, consider disabling the `autologinLocal` option within `config.yaml` until a patch is applied. Restrict access to the instance from potentially hostile networks like the internet to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** OctoPrint versions up to and including 1.9.3 **Description** OctoPrint provides a web interface for controlling consumer 3D printers. The issue allows malicious admins to configure or talk a victim with administrator rights into configuring a webcam snapshot URL which, when tested through the "Test" button included in the web interface, will execute JavaScript code in the victim's browser when attempting to render the snapshot image. An attacker who successfully talked a victim with admin rights into performing a snapshot test with such a crafted URL could use this to retrieve or modify sensitive configuration settings, interrupt prints, or otherwise interact with the OctoPrint instance in a malicious way. **Recommendations** For versions up to and including 1.9.3, update to version 1.10.0 or later to resolve the issue. As a temporary workaround, consider restricting access to the webcam snapshot URL configuration to prevent malicious configuration. OctoPrint administrators are strongly advised to thoroughly vet who has admin access to their installation and what settings they modify based on instructions by strangers.