CVE-2024-49377

Name of the Vulnerable Software and Affected Versions OctoPrint versions up to and including 1.10.2

Description OctoPrint provides a web interface for controlling consumer 3D printers. The software contains reflected XSS vulnerabilities in the login dialog and the standalone application key confirmation dialog. An attacker could use this to retrieve or modify sensitive configuration settings, interrupt prints, or otherwise interact with the OctoPrint instance in a malicious way by tricking a victim into clicking on a specially crafted login link or triggering the application key workflow with specially crafted parameters.

Recommendations For versions up to and including 1.10.2, update to version 1.10.3 or later to patch the specific vulnerabilities of the login dialog and the standalone application key confirmation dialog. As a temporary workaround, consider restricting access to the login dialog and the standalone application key confirmation dialog until a patch is available. With the release of OctoPrint 1.11.0, switch to globally enforced automatic escaping to reduce the attack surface in general. For third-party plugins, opt into the automatic escaping during the transition period to improve security. Starting with OctoPrint 1.13.0, ensure that automatic escaping is enforced for all plugins, unless they explicitly opt-out.