Vulnerabilites related to OctoPrint - OctoPrint
cve-2024-28237
Vulnerability from cvelistv5
Published
2024-03-18 21:17
Modified
2024-08-02 15:20
Severity ?
EPSS score ?
Summary
OctoPrint provides a web interface for controlling consumer 3D printers. OctoPrint versions up until and including 1.9.3 contain a vulnerability that allows malicious admins to configure or talk a victim with administrator rights into configuring a webcam snapshot URL which when tested through the "Test" button included in the web interface will execute JavaScript code in the victims browser when attempting to render the snapshot image. An attacker who successfully talked a victim with admin rights into performing a snapshot test with such a crafted URL could use this to retrieve or modify sensitive configuration settings, interrupt prints or otherwise interact with the OctoPrint instance in a malicious way. The vulnerability is patched in version 1.10.0rc3. OctoPrint administrators are strongly advised to thoroughly vet who has admin access to their installation and what settings they modify based on instructions by strangers.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/OctoPrint/OctoPrint/security/advisories/GHSA-x7mf-wrh9-r76c | x_refsource_CONFIRM | |
| https://github.com/OctoPrint/OctoPrint/commit/779894c1bc6478332d14bc9ed1006df1354eb517 | x_refsource_MISC |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-02T00:48:49.469Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { name: "https://github.com/OctoPrint/OctoPrint/security/advisories/GHSA-x7mf-wrh9-r76c", tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "https://github.com/OctoPrint/OctoPrint/security/advisories/GHSA-x7mf-wrh9-r76c", }, { name: "https://github.com/OctoPrint/OctoPrint/commit/779894c1bc6478332d14bc9ed1006df1354eb517", tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://github.com/OctoPrint/OctoPrint/commit/779894c1bc6478332d14bc9ed1006df1354eb517", }, ], title: "CVE Program Container", }, { affected: [ { cpes: [ "cpe:2.3:a:octoprint:octoprint:*:*:*:*:*:*:*:*", ], defaultStatus: "unknown", product: "octoprint", vendor: "octoprint", versions: [ { lessThanOrEqual: "1.9.3", status: "affected", version: "0", versionType: "custom", }, ], }, ], metrics: [ { other: { content: { id: "CVE-2024-28237", options: [ { Exploitation: "poc", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-08-02T15:19:13.496816Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-08-02T15:20:14.054Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { product: "OctoPrint", vendor: "OctoPrint", versions: [ { status: "affected", version: "<= 1.9.3", }, ], }, ], descriptions: [ { lang: "en", value: "OctoPrint provides a web interface for controlling consumer 3D printers. OctoPrint versions up until and including 1.9.3 contain a vulnerability that allows malicious admins to configure or talk a victim with administrator rights into configuring a webcam snapshot URL which when tested through the \"Test\" button included in the web interface will execute JavaScript code in the victims browser when attempting to render the snapshot image. An attacker who successfully talked a victim with admin rights into performing a snapshot test with such a crafted URL could use this to retrieve or modify sensitive configuration settings, interrupt prints or otherwise interact with the OctoPrint instance in a malicious way. The vulnerability is patched in version 1.10.0rc3. OctoPrint administrators are strongly advised to thoroughly vet who has admin access to their installation and what settings they modify based on instructions by strangers.", }, ], metrics: [ { cvssV3_1: { attackComplexity: "LOW", attackVector: "LOCAL", availabilityImpact: "LOW", baseScore: 4, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "HIGH", scope: "UNCHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:L", version: "3.1", }, }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-79", description: "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2024-03-18T21:17:08.139Z", orgId: "a0819718-46f1-4df5-94e2-005712e83aaa", shortName: "GitHub_M", }, references: [ { name: "https://github.com/OctoPrint/OctoPrint/security/advisories/GHSA-x7mf-wrh9-r76c", tags: [ "x_refsource_CONFIRM", ], url: "https://github.com/OctoPrint/OctoPrint/security/advisories/GHSA-x7mf-wrh9-r76c", }, { name: "https://github.com/OctoPrint/OctoPrint/commit/779894c1bc6478332d14bc9ed1006df1354eb517", tags: [ "x_refsource_MISC", ], url: "https://github.com/OctoPrint/OctoPrint/commit/779894c1bc6478332d14bc9ed1006df1354eb517", }, ], source: { advisory: "GHSA-x7mf-wrh9-r76c", discovery: "UNKNOWN", }, title: "OctoPrint XSS via the \"Snapshot Test\" feature in Classic Webcam plugin settings", }, }, cveMetadata: { assignerOrgId: "a0819718-46f1-4df5-94e2-005712e83aaa", assignerShortName: "GitHub_M", cveId: "CVE-2024-28237", datePublished: "2024-03-18T21:17:08.139Z", dateReserved: "2024-03-07T14:33:30.035Z", dateUpdated: "2024-08-02T15:20:14.054Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2022-2822
Vulnerability from cvelistv5
Published
2022-08-15 10:30
Modified
2024-08-03 00:52
Severity ?
EPSS score ?
Summary
An attacker can freely brute force username and password and can takeover any account. An attacker could easily guess user passwords and gain access to user and administrative accounts.
References
| ▼ | URL | Tags |
|---|---|---|
| https://huntr.dev/bounties/6369f355-e6ef-4469-af75-0f6ff00cde3d | x_refsource_CONFIRM | |
| https://github.com/octoprint/octoprint/commit/82c892ba40b3741d1b7711d949e56af64f5bc2de | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| octoprint | octoprint/octoprint |
Version: unspecified < 1.9.0 |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-03T00:52:58.435Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "https://huntr.dev/bounties/6369f355-e6ef-4469-af75-0f6ff00cde3d", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://github.com/octoprint/octoprint/commit/82c892ba40b3741d1b7711d949e56af64f5bc2de", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "octoprint/octoprint", vendor: "octoprint", versions: [ { lessThan: "1.9.0", status: "affected", version: "unspecified", versionType: "custom", }, ], }, ], descriptions: [ { lang: "en", value: "An attacker can freely brute force username and password and can takeover any account. An attacker could easily guess user passwords and gain access to user and administrative accounts.", }, ], metrics: [ { cvssV3_0: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 3.7, baseSeverity: "LOW", confidentialityImpact: "LOW", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N", version: "3.0", }, }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-307", description: "CWE-307 Improper Restriction of Excessive Authentication Attempts", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2022-08-15T10:40:09", orgId: "c09c270a-b464-47c1-9133-acb35b22c19a", shortName: "@huntrdev", }, references: [ { tags: [ "x_refsource_CONFIRM", ], url: "https://huntr.dev/bounties/6369f355-e6ef-4469-af75-0f6ff00cde3d", }, { tags: [ "x_refsource_MISC", ], url: "https://github.com/octoprint/octoprint/commit/82c892ba40b3741d1b7711d949e56af64f5bc2de", }, ], source: { advisory: "6369f355-e6ef-4469-af75-0f6ff00cde3d", discovery: "EXTERNAL", }, title: "Authentication Bypass by Primary Weakness in octoprint/octoprint", x_legacyV4Record: { CVE_data_meta: { ASSIGNER: "security@huntr.dev", ID: "CVE-2022-2822", STATE: "PUBLIC", TITLE: "Authentication Bypass by Primary Weakness in octoprint/octoprint", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "octoprint/octoprint", version: { version_data: [ { version_affected: "<", version_value: "1.9.0", }, ], }, }, ], }, vendor_name: "octoprint", }, ], }, }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "An attacker can freely brute force username and password and can takeover any account. An attacker could easily guess user passwords and gain access to user and administrative accounts.", }, ], }, impact: { cvss: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 3.7, baseSeverity: "LOW", confidentialityImpact: "LOW", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N", version: "3.0", }, }, problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "CWE-307 Improper Restriction of Excessive Authentication Attempts", }, ], }, ], }, references: { reference_data: [ { name: "https://huntr.dev/bounties/6369f355-e6ef-4469-af75-0f6ff00cde3d", refsource: "CONFIRM", url: "https://huntr.dev/bounties/6369f355-e6ef-4469-af75-0f6ff00cde3d", }, { name: "https://github.com/octoprint/octoprint/commit/82c892ba40b3741d1b7711d949e56af64f5bc2de", refsource: "MISC", url: "https://github.com/octoprint/octoprint/commit/82c892ba40b3741d1b7711d949e56af64f5bc2de", }, ], }, source: { advisory: "6369f355-e6ef-4469-af75-0f6ff00cde3d", discovery: "EXTERNAL", }, }, }, }, cveMetadata: { assignerOrgId: "c09c270a-b464-47c1-9133-acb35b22c19a", assignerShortName: "@huntrdev", cveId: "CVE-2022-2822", datePublished: "2022-08-15T10:30:17", dateReserved: "2022-08-15T00:00:00", dateUpdated: "2024-08-03T00:52:58.435Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2022-2888
Vulnerability from cvelistv5
Published
2022-09-21 11:25
Modified
2024-08-03 00:52
Severity ?
EPSS score ?
Summary
If an attacker comes into the possession of a victim's OctoPrint session cookie through whatever means, the attacker can use this cookie to authenticate as long as the victim's account exists.
References
| ▼ | URL | Tags |
|---|---|---|
| https://huntr.dev/bounties/d27d232b-2578-4b32-b3b4-74aabdadf629 | x_refsource_CONFIRM | |
| https://github.com/octoprint/octoprint/commit/40e6217ac1a85cc5ed592873ae49db01d3005da4 | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| octoprint | octoprint/octoprint |
Version: unspecified < 1.8.3 |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-03T00:52:59.606Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "https://huntr.dev/bounties/d27d232b-2578-4b32-b3b4-74aabdadf629", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://github.com/octoprint/octoprint/commit/40e6217ac1a85cc5ed592873ae49db01d3005da4", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "octoprint/octoprint", vendor: "octoprint", versions: [ { lessThan: "1.8.3", status: "affected", version: "unspecified", versionType: "custom", }, ], }, ], descriptions: [ { lang: "en", value: "If an attacker comes into the possession of a victim's OctoPrint session cookie through whatever means, the attacker can use this cookie to authenticate as long as the victim's account exists.", }, ], metrics: [ { cvssV3_0: { attackComplexity: "LOW", attackVector: "LOCAL", availabilityImpact: "NONE", baseScore: 4.4, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N", version: "3.0", }, }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-613", description: "CWE-613 Insufficient Session Expiration", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2022-09-21T11:25:08", orgId: "c09c270a-b464-47c1-9133-acb35b22c19a", shortName: "@huntrdev", }, references: [ { tags: [ "x_refsource_CONFIRM", ], url: "https://huntr.dev/bounties/d27d232b-2578-4b32-b3b4-74aabdadf629", }, { tags: [ "x_refsource_MISC", ], url: "https://github.com/octoprint/octoprint/commit/40e6217ac1a85cc5ed592873ae49db01d3005da4", }, ], source: { advisory: "d27d232b-2578-4b32-b3b4-74aabdadf629", discovery: "EXTERNAL", }, title: "Insufficient Session Expiration in octoprint/octoprint", x_legacyV4Record: { CVE_data_meta: { ASSIGNER: "security@huntr.dev", ID: "CVE-2022-2888", STATE: "PUBLIC", TITLE: "Insufficient Session Expiration in octoprint/octoprint", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "octoprint/octoprint", version: { version_data: [ { version_affected: "<", version_value: "1.8.3", }, ], }, }, ], }, vendor_name: "octoprint", }, ], }, }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "If an attacker comes into the possession of a victim's OctoPrint session cookie through whatever means, the attacker can use this cookie to authenticate as long as the victim's account exists.", }, ], }, impact: { cvss: { attackComplexity: "LOW", attackVector: "LOCAL", availabilityImpact: "NONE", baseScore: 4.4, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N", version: "3.0", }, }, problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "CWE-613 Insufficient Session Expiration", }, ], }, ], }, references: { reference_data: [ { name: "https://huntr.dev/bounties/d27d232b-2578-4b32-b3b4-74aabdadf629", refsource: "CONFIRM", url: "https://huntr.dev/bounties/d27d232b-2578-4b32-b3b4-74aabdadf629", }, { name: "https://github.com/octoprint/octoprint/commit/40e6217ac1a85cc5ed592873ae49db01d3005da4", refsource: "MISC", url: "https://github.com/octoprint/octoprint/commit/40e6217ac1a85cc5ed592873ae49db01d3005da4", }, ], }, source: { advisory: "d27d232b-2578-4b32-b3b4-74aabdadf629", discovery: "EXTERNAL", }, }, }, }, cveMetadata: { assignerOrgId: "c09c270a-b464-47c1-9133-acb35b22c19a", assignerShortName: "@huntrdev", cveId: "CVE-2022-2888", datePublished: "2022-09-21T11:25:08", dateReserved: "2022-08-18T00:00:00", dateUpdated: "2024-08-03T00:52:59.606Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2022-2930
Vulnerability from cvelistv5
Published
2022-08-22 11:35
Modified
2024-08-03 00:53
Severity ?
EPSS score ?
Summary
Unverified Password Change in GitHub repository octoprint/octoprint prior to 1.8.3.
References
| ▼ | URL | Tags |
|---|---|---|
| https://huntr.dev/bounties/da6745e4-7bcc-4e9a-9e96-0709ec9f2477 | x_refsource_CONFIRM | |
| https://github.com/octoprint/octoprint/commit/1453076ee3e47fcab2dc73664ec2d61d3ef7fc4f | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| octoprint | octoprint/octoprint |
Version: unspecified < 1.8.3 |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-03T00:53:00.455Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "https://huntr.dev/bounties/da6745e4-7bcc-4e9a-9e96-0709ec9f2477", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://github.com/octoprint/octoprint/commit/1453076ee3e47fcab2dc73664ec2d61d3ef7fc4f", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "octoprint/octoprint", vendor: "octoprint", versions: [ { lessThan: "1.8.3", status: "affected", version: "unspecified", versionType: "custom", }, ], }, ], descriptions: [ { lang: "en", value: "Unverified Password Change in GitHub repository octoprint/octoprint prior to 1.8.3.", }, ], metrics: [ { cvssV3_0: { attackComplexity: "LOW", attackVector: "LOCAL", availabilityImpact: "LOW", baseScore: 5.3, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", version: "3.0", }, }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-620", description: "CWE-620 Unverified Password Change", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2022-08-22T11:35:11", orgId: "c09c270a-b464-47c1-9133-acb35b22c19a", shortName: "@huntrdev", }, references: [ { tags: [ "x_refsource_CONFIRM", ], url: "https://huntr.dev/bounties/da6745e4-7bcc-4e9a-9e96-0709ec9f2477", }, { tags: [ "x_refsource_MISC", ], url: "https://github.com/octoprint/octoprint/commit/1453076ee3e47fcab2dc73664ec2d61d3ef7fc4f", }, ], source: { advisory: "da6745e4-7bcc-4e9a-9e96-0709ec9f2477", discovery: "EXTERNAL", }, title: "Unverified Password Change in octoprint/octoprint", x_legacyV4Record: { CVE_data_meta: { ASSIGNER: "security@huntr.dev", ID: "CVE-2022-2930", STATE: "PUBLIC", TITLE: "Unverified Password Change in octoprint/octoprint", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "octoprint/octoprint", version: { version_data: [ { version_affected: "<", version_value: "1.8.3", }, ], }, }, ], }, vendor_name: "octoprint", }, ], }, }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "Unverified Password Change in GitHub repository octoprint/octoprint prior to 1.8.3.", }, ], }, impact: { cvss: { attackComplexity: "LOW", attackVector: "LOCAL", availabilityImpact: "LOW", baseScore: 5.3, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", version: "3.0", }, }, problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "CWE-620 Unverified Password Change", }, ], }, ], }, references: { reference_data: [ { name: "https://huntr.dev/bounties/da6745e4-7bcc-4e9a-9e96-0709ec9f2477", refsource: "CONFIRM", url: "https://huntr.dev/bounties/da6745e4-7bcc-4e9a-9e96-0709ec9f2477", }, { name: "https://github.com/octoprint/octoprint/commit/1453076ee3e47fcab2dc73664ec2d61d3ef7fc4f", refsource: "MISC", url: "https://github.com/octoprint/octoprint/commit/1453076ee3e47fcab2dc73664ec2d61d3ef7fc4f", }, ], }, source: { advisory: "da6745e4-7bcc-4e9a-9e96-0709ec9f2477", discovery: "EXTERNAL", }, }, }, }, cveMetadata: { assignerOrgId: "c09c270a-b464-47c1-9133-acb35b22c19a", assignerShortName: "@huntrdev", cveId: "CVE-2022-2930", datePublished: "2022-08-22T11:35:11", dateReserved: "2022-08-22T00:00:00", dateUpdated: "2024-08-03T00:53:00.455Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2018-16710
Vulnerability from cvelistv5
Published
2018-09-07 19:00
Modified
2024-09-17 02:11
Severity ?
EPSS score ?
Summary
OctoPrint through 1.3.9 allows remote attackers to obtain sensitive information or cause a denial of service via HTTP requests on port 8081. NOTE: the vendor disputes the significance of this report because their documentation states that with "blind port forwarding ... Putting OctoPrint onto the public internet is a terrible idea, and I really can't emphasize that enough.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/foosel/OctoPrint/issues/2814 | x_refsource_MISC |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-05T10:32:52.904Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://github.com/foosel/OctoPrint/issues/2814", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "n/a", vendor: "n/a", versions: [ { status: "affected", version: "n/a", }, ], }, ], descriptions: [ { lang: "en", value: "OctoPrint through 1.3.9 allows remote attackers to obtain sensitive information or cause a denial of service via HTTP requests on port 8081. NOTE: the vendor disputes the significance of this report because their documentation states that with \"blind port forwarding ... Putting OctoPrint onto the public internet is a terrible idea, and I really can't emphasize that enough.", }, ], problemTypes: [ { descriptions: [ { description: "n/a", lang: "en", type: "text", }, ], }, ], providerMetadata: { dateUpdated: "2018-09-07T19:00:00Z", orgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca", shortName: "mitre", }, references: [ { tags: [ "x_refsource_MISC", ], url: "https://github.com/foosel/OctoPrint/issues/2814", }, ], tags: [ "disputed", ], x_legacyV4Record: { CVE_data_meta: { ASSIGNER: "cve@mitre.org", ID: "CVE-2018-16710", STATE: "PUBLIC", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "n/a", version: { version_data: [ { version_value: "n/a", }, ], }, }, ], }, vendor_name: "n/a", }, ], }, }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "** DISPUTED ** OctoPrint through 1.3.9 allows remote attackers to obtain sensitive information or cause a denial of service via HTTP requests on port 8081. NOTE: the vendor disputes the significance of this report because their documentation states that with \"blind port forwarding ... Putting OctoPrint onto the public internet is a terrible idea, and I really can't emphasize that enough.\"", }, ], }, problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "n/a", }, ], }, ], }, references: { reference_data: [ { name: "https://github.com/foosel/OctoPrint/issues/2814", refsource: "MISC", url: "https://github.com/foosel/OctoPrint/issues/2814", }, ], }, }, }, }, cveMetadata: { assignerOrgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca", assignerShortName: "mitre", cveId: "CVE-2018-16710", datePublished: "2018-09-07T19:00:00Z", dateReserved: "2018-09-07T00:00:00Z", dateUpdated: "2024-09-17T02:11:01.953Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2022-1432
Vulnerability from cvelistv5
Published
2022-05-18 10:10
Modified
2024-08-03 00:03
Severity ?
EPSS score ?
Summary
Cross-site Scripting (XSS) - Generic in GitHub repository octoprint/octoprint prior to 1.8.0.
References
| ▼ | URL | Tags |
|---|---|---|
| https://huntr.dev/bounties/cb545c63-a3c1-4d57-8f06-e4593ab389bf | x_refsource_CONFIRM | |
| https://github.com/octoprint/octoprint/commit/6d259d7e6f5b0de9a1c762831537a386e53978d3 | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| octoprint | octoprint/octoprint |
Version: unspecified < 1.8.0 |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-03T00:03:06.351Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "https://huntr.dev/bounties/cb545c63-a3c1-4d57-8f06-e4593ab389bf", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://github.com/octoprint/octoprint/commit/6d259d7e6f5b0de9a1c762831537a386e53978d3", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "octoprint/octoprint", vendor: "octoprint", versions: [ { lessThan: "1.8.0", status: "affected", version: "unspecified", versionType: "custom", }, ], }, ], descriptions: [ { lang: "en", value: "Cross-site Scripting (XSS) - Generic in GitHub repository octoprint/octoprint prior to 1.8.0.", }, ], metrics: [ { cvssV3_0: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H", version: "3.0", }, }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-79", description: "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2022-05-18T10:10:10", orgId: "c09c270a-b464-47c1-9133-acb35b22c19a", shortName: "@huntrdev", }, references: [ { tags: [ "x_refsource_CONFIRM", ], url: "https://huntr.dev/bounties/cb545c63-a3c1-4d57-8f06-e4593ab389bf", }, { tags: [ "x_refsource_MISC", ], url: "https://github.com/octoprint/octoprint/commit/6d259d7e6f5b0de9a1c762831537a386e53978d3", }, ], source: { advisory: "cb545c63-a3c1-4d57-8f06-e4593ab389bf", discovery: "EXTERNAL", }, title: "Cross-site Scripting (XSS) - Generic in octoprint/octoprint", x_legacyV4Record: { CVE_data_meta: { ASSIGNER: "security@huntr.dev", ID: "CVE-2022-1432", STATE: "PUBLIC", TITLE: "Cross-site Scripting (XSS) - Generic in octoprint/octoprint", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "octoprint/octoprint", version: { version_data: [ { version_affected: "<", version_value: "1.8.0", }, ], }, }, ], }, vendor_name: "octoprint", }, ], }, }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "Cross-site Scripting (XSS) - Generic in GitHub repository octoprint/octoprint prior to 1.8.0.", }, ], }, impact: { cvss: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H", version: "3.0", }, }, problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", }, ], }, ], }, references: { reference_data: [ { name: "https://huntr.dev/bounties/cb545c63-a3c1-4d57-8f06-e4593ab389bf", refsource: "CONFIRM", url: "https://huntr.dev/bounties/cb545c63-a3c1-4d57-8f06-e4593ab389bf", }, { name: "https://github.com/octoprint/octoprint/commit/6d259d7e6f5b0de9a1c762831537a386e53978d3", refsource: "MISC", url: "https://github.com/octoprint/octoprint/commit/6d259d7e6f5b0de9a1c762831537a386e53978d3", }, ], }, source: { advisory: "cb545c63-a3c1-4d57-8f06-e4593ab389bf", discovery: "EXTERNAL", }, }, }, }, cveMetadata: { assignerOrgId: "c09c270a-b464-47c1-9133-acb35b22c19a", assignerShortName: "@huntrdev", cveId: "CVE-2022-1432", datePublished: "2022-05-18T10:10:10", dateReserved: "2022-04-22T00:00:00", dateUpdated: "2024-08-03T00:03:06.351Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2021-32561
Vulnerability from cvelistv5
Published
2021-05-11 13:38
Modified
2024-08-03 23:25
Severity ?
EPSS score ?
Summary
OctoPrint before 1.6.0 allows XSS because API error messages include the values of input parameters.
References
| ▼ | URL | Tags |
|---|---|---|
| https://octoprint.org/blog/2021/04/27/new-release-1.6.0/ | x_refsource_MISC | |
| https://github.com/OctoPrint/OctoPrint/releases/tag/1.6.0 | x_refsource_MISC | |
| https://www.brzozowski.io/web-applications/2021/05/11/the-insecure-story-of-octoprint.html | x_refsource_MISC |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-03T23:25:30.992Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://octoprint.org/blog/2021/04/27/new-release-1.6.0/", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://github.com/OctoPrint/OctoPrint/releases/tag/1.6.0", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://www.brzozowski.io/web-applications/2021/05/11/the-insecure-story-of-octoprint.html", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "n/a", vendor: "n/a", versions: [ { status: "affected", version: "n/a", }, ], }, ], descriptions: [ { lang: "en", value: "OctoPrint before 1.6.0 allows XSS because API error messages include the values of input parameters.", }, ], problemTypes: [ { descriptions: [ { description: "n/a", lang: "en", type: "text", }, ], }, ], providerMetadata: { dateUpdated: "2021-05-26T13:27:23", orgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca", shortName: "mitre", }, references: [ { tags: [ "x_refsource_MISC", ], url: "https://octoprint.org/blog/2021/04/27/new-release-1.6.0/", }, { tags: [ "x_refsource_MISC", ], url: "https://github.com/OctoPrint/OctoPrint/releases/tag/1.6.0", }, { tags: [ "x_refsource_MISC", ], url: "https://www.brzozowski.io/web-applications/2021/05/11/the-insecure-story-of-octoprint.html", }, ], x_legacyV4Record: { CVE_data_meta: { ASSIGNER: "cve@mitre.org", ID: "CVE-2021-32561", STATE: "PUBLIC", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "n/a", version: { version_data: [ { version_value: "n/a", }, ], }, }, ], }, vendor_name: "n/a", }, ], }, }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "OctoPrint before 1.6.0 allows XSS because API error messages include the values of input parameters.", }, ], }, problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "n/a", }, ], }, ], }, references: { reference_data: [ { name: "https://octoprint.org/blog/2021/04/27/new-release-1.6.0/", refsource: "MISC", url: "https://octoprint.org/blog/2021/04/27/new-release-1.6.0/", }, { name: "https://github.com/OctoPrint/OctoPrint/releases/tag/1.6.0", refsource: "MISC", url: "https://github.com/OctoPrint/OctoPrint/releases/tag/1.6.0", }, { name: "https://www.brzozowski.io/web-applications/2021/05/11/the-insecure-story-of-octoprint.html", refsource: "MISC", url: "https://www.brzozowski.io/web-applications/2021/05/11/the-insecure-story-of-octoprint.html", }, ], }, }, }, }, cveMetadata: { assignerOrgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca", assignerShortName: "mitre", cveId: "CVE-2021-32561", datePublished: "2021-05-11T13:38:43", dateReserved: "2021-05-11T00:00:00", dateUpdated: "2024-08-03T23:25:30.992Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2021-32560
Vulnerability from cvelistv5
Published
2021-05-11 13:36
Modified
2024-08-03 23:25
Severity ?
EPSS score ?
Summary
The Logging subsystem in OctoPrint before 1.6.0 has incorrect access control because it attempts to manage files that are not *.log files.
References
| ▼ | URL | Tags |
|---|---|---|
| https://octoprint.org/blog/2021/04/27/new-release-1.6.0/ | x_refsource_MISC | |
| https://github.com/OctoPrint/OctoPrint/releases/tag/1.6.0 | x_refsource_MISC | |
| https://www.brzozowski.io/web-applications/2021/05/11/the-insecure-story-of-octoprint.html | x_refsource_MISC |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-03T23:25:30.953Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://octoprint.org/blog/2021/04/27/new-release-1.6.0/", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://github.com/OctoPrint/OctoPrint/releases/tag/1.6.0", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://www.brzozowski.io/web-applications/2021/05/11/the-insecure-story-of-octoprint.html", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "n/a", vendor: "n/a", versions: [ { status: "affected", version: "n/a", }, ], }, ], descriptions: [ { lang: "en", value: "The Logging subsystem in OctoPrint before 1.6.0 has incorrect access control because it attempts to manage files that are not *.log files.", }, ], problemTypes: [ { descriptions: [ { description: "n/a", lang: "en", type: "text", }, ], }, ], providerMetadata: { dateUpdated: "2021-05-26T13:26:31", orgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca", shortName: "mitre", }, references: [ { tags: [ "x_refsource_MISC", ], url: "https://octoprint.org/blog/2021/04/27/new-release-1.6.0/", }, { tags: [ "x_refsource_MISC", ], url: "https://github.com/OctoPrint/OctoPrint/releases/tag/1.6.0", }, { tags: [ "x_refsource_MISC", ], url: "https://www.brzozowski.io/web-applications/2021/05/11/the-insecure-story-of-octoprint.html", }, ], x_legacyV4Record: { CVE_data_meta: { ASSIGNER: "cve@mitre.org", ID: "CVE-2021-32560", STATE: "PUBLIC", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "n/a", version: { version_data: [ { version_value: "n/a", }, ], }, }, ], }, vendor_name: "n/a", }, ], }, }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "The Logging subsystem in OctoPrint before 1.6.0 has incorrect access control because it attempts to manage files that are not *.log files.", }, ], }, problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "n/a", }, ], }, ], }, references: { reference_data: [ { name: "https://octoprint.org/blog/2021/04/27/new-release-1.6.0/", refsource: "MISC", url: "https://octoprint.org/blog/2021/04/27/new-release-1.6.0/", }, { name: "https://github.com/OctoPrint/OctoPrint/releases/tag/1.6.0", refsource: "MISC", url: "https://github.com/OctoPrint/OctoPrint/releases/tag/1.6.0", }, { name: "https://www.brzozowski.io/web-applications/2021/05/11/the-insecure-story-of-octoprint.html", refsource: "MISC", url: "https://www.brzozowski.io/web-applications/2021/05/11/the-insecure-story-of-octoprint.html", }, ], }, }, }, }, cveMetadata: { assignerOrgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca", assignerShortName: "mitre", cveId: "CVE-2021-32560", datePublished: "2021-05-11T13:36:17", dateReserved: "2021-05-11T00:00:00", dateUpdated: "2024-08-03T23:25:30.953Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2022-3068
Vulnerability from cvelistv5
Published
2022-09-21 11:55
Modified
2024-08-03 01:00
Severity ?
EPSS score ?
Summary
Improper Privilege Management in GitHub repository octoprint/octoprint prior to 1.8.3.
References
| ▼ | URL | Tags |
|---|---|---|
| https://huntr.dev/bounties/f45c24cb-9104-4c6e-a9e1-5c7e75e83884 | x_refsource_CONFIRM | |
| https://github.com/octoprint/octoprint/commit/ef95ef1c101b79394f134e8fce000e6bae046571 | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| octoprint | octoprint/octoprint |
Version: unspecified < 1.8.3 |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-03T01:00:10.462Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "https://huntr.dev/bounties/f45c24cb-9104-4c6e-a9e1-5c7e75e83884", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://github.com/octoprint/octoprint/commit/ef95ef1c101b79394f134e8fce000e6bae046571", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "octoprint/octoprint", vendor: "octoprint", versions: [ { lessThan: "1.8.3", status: "affected", version: "unspecified", versionType: "custom", }, ], }, ], descriptions: [ { lang: "en", value: "Improper Privilege Management in GitHub repository octoprint/octoprint prior to 1.8.3.", }, ], metrics: [ { cvssV3_0: { attackComplexity: "LOW", attackVector: "LOCAL", availabilityImpact: "LOW", baseScore: 5.3, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", version: "3.0", }, }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-269", description: "CWE-269 Improper Privilege Management", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2022-09-21T11:55:09", orgId: "c09c270a-b464-47c1-9133-acb35b22c19a", shortName: "@huntrdev", }, references: [ { tags: [ "x_refsource_CONFIRM", ], url: "https://huntr.dev/bounties/f45c24cb-9104-4c6e-a9e1-5c7e75e83884", }, { tags: [ "x_refsource_MISC", ], url: "https://github.com/octoprint/octoprint/commit/ef95ef1c101b79394f134e8fce000e6bae046571", }, ], source: { advisory: "f45c24cb-9104-4c6e-a9e1-5c7e75e83884", discovery: "EXTERNAL", }, title: "Improper Privilege Management in octoprint/octoprint", x_legacyV4Record: { CVE_data_meta: { ASSIGNER: "security@huntr.dev", ID: "CVE-2022-3068", STATE: "PUBLIC", TITLE: "Improper Privilege Management in octoprint/octoprint", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "octoprint/octoprint", version: { version_data: [ { version_affected: "<", version_value: "1.8.3", }, ], }, }, ], }, vendor_name: "octoprint", }, ], }, }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "Improper Privilege Management in GitHub repository octoprint/octoprint prior to 1.8.3.", }, ], }, impact: { cvss: { attackComplexity: "LOW", attackVector: "LOCAL", availabilityImpact: "LOW", baseScore: 5.3, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", version: "3.0", }, }, problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "CWE-269 Improper Privilege Management", }, ], }, ], }, references: { reference_data: [ { name: "https://huntr.dev/bounties/f45c24cb-9104-4c6e-a9e1-5c7e75e83884", refsource: "CONFIRM", url: "https://huntr.dev/bounties/f45c24cb-9104-4c6e-a9e1-5c7e75e83884", }, { name: "https://github.com/octoprint/octoprint/commit/ef95ef1c101b79394f134e8fce000e6bae046571", refsource: "MISC", url: "https://github.com/octoprint/octoprint/commit/ef95ef1c101b79394f134e8fce000e6bae046571", }, ], }, source: { advisory: "f45c24cb-9104-4c6e-a9e1-5c7e75e83884", discovery: "EXTERNAL", }, }, }, }, cveMetadata: { assignerOrgId: "c09c270a-b464-47c1-9133-acb35b22c19a", assignerShortName: "@huntrdev", cveId: "CVE-2022-3068", datePublished: "2022-09-21T11:55:09", dateReserved: "2022-08-31T00:00:00", dateUpdated: "2024-08-03T01:00:10.462Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-23637
Vulnerability from cvelistv5
Published
2024-01-31 18:01
Modified
2024-08-01 23:06
Severity ?
EPSS score ?
Summary
OctoPrint is a web interface for 3D printer.s OctoPrint versions up until and including 1.9.3 contain a vulnerability that allows malicious admins to change the password of other admin accounts, including their own, without having to repeat their password. An attacker who managed to hijack an admin account might use this to lock out actual admins from their OctoPrint instance. The vulnerability will be patched in version 1.10.0.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/OctoPrint/OctoPrint/security/advisories/GHSA-5626-pw9c-hmjr | x_refsource_CONFIRM | |
| https://github.com/OctoPrint/OctoPrint/commit/1729d167b4ae4a5835bbc7211b92c6828b1c4125 | x_refsource_MISC | |
| https://github.com/OctoPrint/OctoPrint/releases/tag/1.10.0rc1 | x_refsource_MISC |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-01T23:06:25.311Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { name: "https://github.com/OctoPrint/OctoPrint/security/advisories/GHSA-5626-pw9c-hmjr", tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "https://github.com/OctoPrint/OctoPrint/security/advisories/GHSA-5626-pw9c-hmjr", }, { name: "https://github.com/OctoPrint/OctoPrint/commit/1729d167b4ae4a5835bbc7211b92c6828b1c4125", tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://github.com/OctoPrint/OctoPrint/commit/1729d167b4ae4a5835bbc7211b92c6828b1c4125", }, { name: "https://github.com/OctoPrint/OctoPrint/releases/tag/1.10.0rc1", tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://github.com/OctoPrint/OctoPrint/releases/tag/1.10.0rc1", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "OctoPrint", vendor: "OctoPrint", versions: [ { status: "affected", version: "< 1.10.0rc1", }, ], }, ], descriptions: [ { lang: "en", value: "OctoPrint is a web interface for 3D printer.s OctoPrint versions up until and including 1.9.3 contain a vulnerability that allows malicious admins to change the password of other admin accounts, including their own, without having to repeat their password. An attacker who managed to hijack an admin account might use this to lock out actual admins from their OctoPrint instance. The vulnerability will be patched in version 1.10.0.", }, ], metrics: [ { cvssV3_1: { attackComplexity: "LOW", attackVector: "LOCAL", availabilityImpact: "LOW", baseScore: 4.2, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "HIGH", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L", version: "3.1", }, }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-287", description: "CWE-287: Improper Authentication", lang: "en", type: "CWE", }, ], }, { descriptions: [ { cweId: "CWE-620", description: "CWE-620: Unverified Password Change", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2024-01-31T18:01:58.189Z", orgId: "a0819718-46f1-4df5-94e2-005712e83aaa", shortName: "GitHub_M", }, references: [ { name: "https://github.com/OctoPrint/OctoPrint/security/advisories/GHSA-5626-pw9c-hmjr", tags: [ "x_refsource_CONFIRM", ], url: "https://github.com/OctoPrint/OctoPrint/security/advisories/GHSA-5626-pw9c-hmjr", }, { name: "https://github.com/OctoPrint/OctoPrint/commit/1729d167b4ae4a5835bbc7211b92c6828b1c4125", tags: [ "x_refsource_MISC", ], url: "https://github.com/OctoPrint/OctoPrint/commit/1729d167b4ae4a5835bbc7211b92c6828b1c4125", }, { name: "https://github.com/OctoPrint/OctoPrint/releases/tag/1.10.0rc1", tags: [ "x_refsource_MISC", ], url: "https://github.com/OctoPrint/OctoPrint/releases/tag/1.10.0rc1", }, ], source: { advisory: "GHSA-5626-pw9c-hmjr", discovery: "UNKNOWN", }, title: "OctoPrint Unverified Password Change via Access Control Settings", }, }, cveMetadata: { assignerOrgId: "a0819718-46f1-4df5-94e2-005712e83aaa", assignerShortName: "GitHub_M", cveId: "CVE-2024-23637", datePublished: "2024-01-31T18:01:58.189Z", dateReserved: "2024-01-19T00:18:53.232Z", dateUpdated: "2024-08-01T23:06:25.311Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2025-32788
Vulnerability from cvelistv5
Published
2025-04-22 17:14
Modified
2025-04-25 16:03
Severity ?
EPSS score ?
Summary
OctoPrint provides a web interface for controlling consumer 3D printers. In versions up to and including 1.10.3, OctoPrint has a vulnerability that allows an attacker to bypass the login redirect and directly access the rendered HTML of certain frontend pages. The primary risk lies in potential future modifications to the codebase that might incorrectly rely on the vulnerable internal functions for authentication checks, leading to security vulnerabilities. This issue has been patched in version 1.11.0.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/OctoPrint/OctoPrint/security/advisories/GHSA-qw93-h6pf-226x | x_refsource_CONFIRM | |
| https://github.com/OctoPrint/OctoPrint/commit/41ff431014edfa18ca1a01897b10463934dc7fc2 | x_refsource_MISC |
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2025-32788", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2025-04-24T19:56:38.443886Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2025-04-25T16:03:30.506Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { product: "OctoPrint", vendor: "OctoPrint", versions: [ { status: "affected", version: "< 1.11.0", }, ], }, ], descriptions: [ { lang: "en", value: "OctoPrint provides a web interface for controlling consumer 3D printers. In versions up to and including 1.10.3, OctoPrint has a vulnerability that allows an attacker to bypass the login redirect and directly access the rendered HTML of certain frontend pages. The primary risk lies in potential future modifications to the codebase that might incorrectly rely on the vulnerable internal functions for authentication checks, leading to security vulnerabilities. This issue has been patched in version 1.11.0.", }, ], metrics: [ { cvssV3_1: { attackComplexity: "LOW", attackVector: "ADJACENT_NETWORK", availabilityImpact: "NONE", baseScore: 4.3, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", version: "3.1", }, }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-290", description: "CWE-290: Authentication Bypass by Spoofing", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2025-04-22T17:14:39.690Z", orgId: "a0819718-46f1-4df5-94e2-005712e83aaa", shortName: "GitHub_M", }, references: [ { name: "https://github.com/OctoPrint/OctoPrint/security/advisories/GHSA-qw93-h6pf-226x", tags: [ "x_refsource_CONFIRM", ], url: "https://github.com/OctoPrint/OctoPrint/security/advisories/GHSA-qw93-h6pf-226x", }, { name: "https://github.com/OctoPrint/OctoPrint/commit/41ff431014edfa18ca1a01897b10463934dc7fc2", tags: [ "x_refsource_MISC", ], url: "https://github.com/OctoPrint/OctoPrint/commit/41ff431014edfa18ca1a01897b10463934dc7fc2", }, ], source: { advisory: "GHSA-qw93-h6pf-226x", discovery: "UNKNOWN", }, title: "OctoPrint Authenticated Reverse Proxy Page Authentication Bypass", }, }, cveMetadata: { assignerOrgId: "a0819718-46f1-4df5-94e2-005712e83aaa", assignerShortName: "GitHub_M", cveId: "CVE-2025-32788", datePublished: "2025-04-22T17:14:39.690Z", dateReserved: "2025-04-10T12:51:12.280Z", dateUpdated: "2025-04-25T16:03:30.506Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2022-3607
Vulnerability from cvelistv5
Published
2022-10-19 00:00
Modified
2024-08-03 01:14
Severity ?
EPSS score ?
Summary
Failure to Sanitize Special Elements into a Different Plane (Special Element Injection) in GitHub repository octoprint/octoprint prior to 1.8.3.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| octoprint | octoprint/octoprint |
Version: unspecified < 1.8.3 |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-03T01:14:03.306Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_transferred", ], url: "https://huntr.dev/bounties/2d1db3c9-93e8-4902-a55b-5ea53c22aa11", }, { tags: [ "x_transferred", ], url: "https://github.com/octoprint/octoprint/commit/3cca3a43f3d085e9bbe5a5840c8255bb1b5d052e", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "octoprint/octoprint", vendor: "octoprint", versions: [ { lessThan: "1.8.3", status: "affected", version: "unspecified", versionType: "custom", }, ], }, ], descriptions: [ { lang: "en", value: "Failure to Sanitize Special Elements into a Different Plane (Special Element Injection) in GitHub repository octoprint/octoprint prior to 1.8.3.", }, ], metrics: [ { cvssV3_0: { attackComplexity: "LOW", attackVector: "LOCAL", availabilityImpact: "NONE", baseScore: 6, baseSeverity: "MEDIUM", confidentialityImpact: "HIGH", integrityImpact: "NONE", privilegesRequired: "HIGH", scope: "CHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N", version: "3.0", }, }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-75", description: "CWE-75 Failure to Sanitize Special Elements into a Different Plane (Special Element Injection)", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2022-10-19T00:00:00", orgId: "c09c270a-b464-47c1-9133-acb35b22c19a", shortName: "@huntrdev", }, references: [ { url: "https://huntr.dev/bounties/2d1db3c9-93e8-4902-a55b-5ea53c22aa11", }, { url: "https://github.com/octoprint/octoprint/commit/3cca3a43f3d085e9bbe5a5840c8255bb1b5d052e", }, ], source: { advisory: "2d1db3c9-93e8-4902-a55b-5ea53c22aa11", discovery: "EXTERNAL", }, title: "Failure to Sanitize Special Elements into a Different Plane (Special Element Injection) in octoprint/octoprint", }, }, cveMetadata: { assignerOrgId: "c09c270a-b464-47c1-9133-acb35b22c19a", assignerShortName: "@huntrdev", cveId: "CVE-2022-3607", datePublished: "2022-10-19T00:00:00", dateReserved: "2022-10-19T00:00:00", dateUpdated: "2024-08-03T01:14:03.306Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2022-2872
Vulnerability from cvelistv5
Published
2022-09-21 09:55
Modified
2024-08-03 00:52
Severity ?
EPSS score ?
Summary
Unrestricted Upload of File with Dangerous Type in GitHub repository octoprint/octoprint prior to 1.8.3.
References
| ▼ | URL | Tags |
|---|---|---|
| https://huntr.dev/bounties/b966c74d-6f3f-49fe-b40a-eaf25e362c56 | x_refsource_CONFIRM | |
| https://github.com/octoprint/octoprint/commit/3e3c11811e216fb371a33e28412df83f9701e5b0 | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| octoprint | octoprint/octoprint |
Version: unspecified < 1.8.3 |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-03T00:52:58.717Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "https://huntr.dev/bounties/b966c74d-6f3f-49fe-b40a-eaf25e362c56", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://github.com/octoprint/octoprint/commit/3e3c11811e216fb371a33e28412df83f9701e5b0", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "octoprint/octoprint", vendor: "octoprint", versions: [ { lessThan: "1.8.3", status: "affected", version: "unspecified", versionType: "custom", }, ], }, ], descriptions: [ { lang: "en", value: "Unrestricted Upload of File with Dangerous Type in GitHub repository octoprint/octoprint prior to 1.8.3.", }, ], metrics: [ { cvssV3_0: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 3.7, baseSeverity: "LOW", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N", version: "3.0", }, }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-434", description: "CWE-434 Unrestricted Upload of File with Dangerous Type", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2022-09-21T09:55:08", orgId: "c09c270a-b464-47c1-9133-acb35b22c19a", shortName: "@huntrdev", }, references: [ { tags: [ "x_refsource_CONFIRM", ], url: "https://huntr.dev/bounties/b966c74d-6f3f-49fe-b40a-eaf25e362c56", }, { tags: [ "x_refsource_MISC", ], url: "https://github.com/octoprint/octoprint/commit/3e3c11811e216fb371a33e28412df83f9701e5b0", }, ], source: { advisory: "b966c74d-6f3f-49fe-b40a-eaf25e362c56", discovery: "EXTERNAL", }, title: "Unrestricted Upload of File with Dangerous Type in octoprint/octoprint", x_legacyV4Record: { CVE_data_meta: { ASSIGNER: "security@huntr.dev", ID: "CVE-2022-2872", STATE: "PUBLIC", TITLE: "Unrestricted Upload of File with Dangerous Type in octoprint/octoprint", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "octoprint/octoprint", version: { version_data: [ { version_affected: "<", version_value: "1.8.3", }, ], }, }, ], }, vendor_name: "octoprint", }, ], }, }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "Unrestricted Upload of File with Dangerous Type in GitHub repository octoprint/octoprint prior to 1.8.3.", }, ], }, impact: { cvss: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 3.7, baseSeverity: "LOW", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N", version: "3.0", }, }, problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "CWE-434 Unrestricted Upload of File with Dangerous Type", }, ], }, ], }, references: { reference_data: [ { name: "https://huntr.dev/bounties/b966c74d-6f3f-49fe-b40a-eaf25e362c56", refsource: "CONFIRM", url: "https://huntr.dev/bounties/b966c74d-6f3f-49fe-b40a-eaf25e362c56", }, { name: "https://github.com/octoprint/octoprint/commit/3e3c11811e216fb371a33e28412df83f9701e5b0", refsource: "MISC", url: "https://github.com/octoprint/octoprint/commit/3e3c11811e216fb371a33e28412df83f9701e5b0", }, ], }, source: { advisory: "b966c74d-6f3f-49fe-b40a-eaf25e362c56", discovery: "EXTERNAL", }, }, }, }, cveMetadata: { assignerOrgId: "c09c270a-b464-47c1-9133-acb35b22c19a", assignerShortName: "@huntrdev", cveId: "CVE-2022-2872", datePublished: "2022-09-21T09:55:08", dateReserved: "2022-08-17T00:00:00", dateUpdated: "2024-08-03T00:52:58.717Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-32977
Vulnerability from cvelistv5
Published
2024-05-14 13:49
Modified
2024-08-02 02:27
Severity ?
EPSS score ?
Summary
OctoPrint provides a web interface for controlling consumer 3D printers. OctoPrint versions up until and including 1.10.0 contain a vulnerability that allows an unauthenticated attacker to completely bypass the authentication if the `autologinLocal` option is enabled within `config.yaml`, even if they come from networks that are not configured as `localNetworks`, spoofing their IP via the `X-Forwarded-For` header. If autologin is not enabled, this vulnerability does not have any impact. The vulnerability has been patched in version 1.10.1. Until the patch has been applied, OctoPrint administrators who have autologin enabled on their instances should disable it and/or to make the instance inaccessible from potentially hostile networks like the internet.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/OctoPrint/OctoPrint/security/advisories/GHSA-2vjq-hg5w-5gm7 | x_refsource_CONFIRM | |
| https://github.com/OctoPrint/OctoPrint/commit/5afbec8d23508edc25b0f1bdef1620580136add4 | x_refsource_MISC |
{ containers: { adp: [ { affected: [ { cpes: [ "cpe:2.3:a:octoprint:octoprint:*:*:*:*:*:*:*:*", ], defaultStatus: "unknown", product: "octoprint", vendor: "octoprint", versions: [ { lessThanOrEqual: "1.10.0", status: "affected", version: "0", versionType: "custom", }, ], }, ], metrics: [ { other: { content: { id: "CVE-2024-32977", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "total", }, ], role: "CISA Coordinator", timestamp: "2024-05-15T13:21:43.112557Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-06-06T17:39:38.021Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, { providerMetadata: { dateUpdated: "2024-08-02T02:27:53.241Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { name: "https://github.com/OctoPrint/OctoPrint/security/advisories/GHSA-2vjq-hg5w-5gm7", tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "https://github.com/OctoPrint/OctoPrint/security/advisories/GHSA-2vjq-hg5w-5gm7", }, { name: "https://github.com/OctoPrint/OctoPrint/commit/5afbec8d23508edc25b0f1bdef1620580136add4", tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://github.com/OctoPrint/OctoPrint/commit/5afbec8d23508edc25b0f1bdef1620580136add4", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "OctoPrint", vendor: "OctoPrint", versions: [ { status: "affected", version: "< 1.10.1", }, ], }, ], descriptions: [ { lang: "en", value: "OctoPrint provides a web interface for controlling consumer 3D printers. OctoPrint versions up until and including 1.10.0 contain a vulnerability that allows an unauthenticated attacker to completely bypass the authentication if the `autologinLocal` option is enabled within `config.yaml`, even if they come from networks that are not configured as `localNetworks`, spoofing their IP via the `X-Forwarded-For` header. If autologin is not enabled, this vulnerability does not have any impact. The vulnerability has been patched in version 1.10.1. Until the patch has been applied, OctoPrint administrators who have autologin enabled on their instances should disable it and/or to make the instance inaccessible from potentially hostile networks like the internet.", }, ], metrics: [ { cvssV3_1: { attackComplexity: "HIGH", attackVector: "ADJACENT_NETWORK", availabilityImpact: "LOW", baseScore: 7.1, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:L", version: "3.1", }, }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-290", description: "CWE-290: Authentication Bypass by Spoofing", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2024-05-14T13:49:20.862Z", orgId: "a0819718-46f1-4df5-94e2-005712e83aaa", shortName: "GitHub_M", }, references: [ { name: "https://github.com/OctoPrint/OctoPrint/security/advisories/GHSA-2vjq-hg5w-5gm7", tags: [ "x_refsource_CONFIRM", ], url: "https://github.com/OctoPrint/OctoPrint/security/advisories/GHSA-2vjq-hg5w-5gm7", }, { name: "https://github.com/OctoPrint/OctoPrint/commit/5afbec8d23508edc25b0f1bdef1620580136add4", tags: [ "x_refsource_MISC", ], url: "https://github.com/OctoPrint/OctoPrint/commit/5afbec8d23508edc25b0f1bdef1620580136add4", }, ], source: { advisory: "GHSA-2vjq-hg5w-5gm7", discovery: "UNKNOWN", }, title: "OctoPrint Authentication Bypass via X-Forwarded-For Header when autologinLocal is enabled", }, }, cveMetadata: { assignerOrgId: "a0819718-46f1-4df5-94e2-005712e83aaa", assignerShortName: "GitHub_M", cveId: "CVE-2024-32977", datePublished: "2024-05-14T13:49:20.862Z", dateReserved: "2024-04-22T15:14:59.166Z", dateUpdated: "2024-08-02T02:27:53.241Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-51493
Vulnerability from cvelistv5
Published
2024-11-05 18:17
Modified
2024-11-05 19:01
Severity ?
EPSS score ?
Summary
OctoPrint provides a web interface for controlling consumer 3D printers. OctoPrint versions up until and including 1.10.2 contain a vulnerability that allows an attacker that has gained temporary control over an authenticated victim's OctoPrint browser session to retrieve/recreate/delete the user's or - if the victim has admin permissions - the global API key without having to reauthenticate by re-entering the user account's password. An attacker could use a stolen API key to access OctoPrint through its API, or disrupt workflows depending on the API key they deleted. This vulnerability will be patched in version 1.10.3 and all users are advised to upgrade. There are no known workarounds for this vulnerability.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/OctoPrint/OctoPrint/security/advisories/GHSA-cc6x-8cc7-9953 | x_refsource_CONFIRM |
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2024-51493", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-11-05T19:01:40.538581Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-11-05T19:01:48.187Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { product: "OctoPrint", vendor: "OctoPrint", versions: [ { status: "affected", version: "< 1.10.3", }, ], }, ], descriptions: [ { lang: "en", value: "OctoPrint provides a web interface for controlling consumer 3D printers. OctoPrint versions up until and including 1.10.2 contain a vulnerability that allows an attacker that has gained temporary control over an authenticated victim's OctoPrint browser session to retrieve/recreate/delete the user's or - if the victim has admin permissions - the global API key without having to reauthenticate by re-entering the user account's password. An attacker could use a stolen API key to access OctoPrint through its API, or disrupt workflows depending on the API key they deleted. This vulnerability will be patched in version 1.10.3 and all users are advised to upgrade. There are no known workarounds for this vulnerability.", }, ], metrics: [ { cvssV3_1: { attackComplexity: "LOW", attackVector: "LOCAL", availabilityImpact: "LOW", baseScore: 5.3, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", version: "3.1", }, }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-620", description: "CWE-620: Unverified Password Change", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2024-11-05T18:17:40.472Z", orgId: "a0819718-46f1-4df5-94e2-005712e83aaa", shortName: "GitHub_M", }, references: [ { name: "https://github.com/OctoPrint/OctoPrint/security/advisories/GHSA-cc6x-8cc7-9953", tags: [ "x_refsource_CONFIRM", ], url: "https://github.com/OctoPrint/OctoPrint/security/advisories/GHSA-cc6x-8cc7-9953", }, ], source: { advisory: "GHSA-cc6x-8cc7-9953", discovery: "UNKNOWN", }, title: "API key access in settings without reauthentication in OctoPrint", }, }, cveMetadata: { assignerOrgId: "a0819718-46f1-4df5-94e2-005712e83aaa", assignerShortName: "GitHub_M", cveId: "CVE-2024-51493", datePublished: "2024-11-05T18:17:29.812Z", dateReserved: "2024-10-28T14:20:59.337Z", dateUpdated: "2024-11-05T19:01:48.187Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2022-1430
Vulnerability from cvelistv5
Published
2022-05-18 10:00
Modified
2024-08-03 00:03
Severity ?
EPSS score ?
Summary
Cross-site Scripting (XSS) - DOM in GitHub repository octoprint/octoprint prior to 1.8.0.
References
| ▼ | URL | Tags |
|---|---|---|
| https://huntr.dev/bounties/0cd30d71-1e32-4a0b-b4c3-faaa1907b541 | x_refsource_CONFIRM | |
| https://github.com/octoprint/octoprint/commit/8087528e4a7ddd15c7d95ff662deb5ef7de90045 | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| octoprint | octoprint/octoprint |
Version: unspecified < 1.8.0 |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-03T00:03:06.267Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "https://huntr.dev/bounties/0cd30d71-1e32-4a0b-b4c3-faaa1907b541", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://github.com/octoprint/octoprint/commit/8087528e4a7ddd15c7d95ff662deb5ef7de90045", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "octoprint/octoprint", vendor: "octoprint", versions: [ { lessThan: "1.8.0", status: "affected", version: "unspecified", versionType: "custom", }, ], }, ], descriptions: [ { lang: "en", value: "Cross-site Scripting (XSS) - DOM in GitHub repository octoprint/octoprint prior to 1.8.0.", }, ], metrics: [ { cvssV3_0: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H", version: "3.0", }, }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-79", description: "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2022-05-18T10:00:14", orgId: "c09c270a-b464-47c1-9133-acb35b22c19a", shortName: "@huntrdev", }, references: [ { tags: [ "x_refsource_CONFIRM", ], url: "https://huntr.dev/bounties/0cd30d71-1e32-4a0b-b4c3-faaa1907b541", }, { tags: [ "x_refsource_MISC", ], url: "https://github.com/octoprint/octoprint/commit/8087528e4a7ddd15c7d95ff662deb5ef7de90045", }, ], source: { advisory: "0cd30d71-1e32-4a0b-b4c3-faaa1907b541", discovery: "EXTERNAL", }, title: "Cross-site Scripting (XSS) - DOM in octoprint/octoprint", x_legacyV4Record: { CVE_data_meta: { ASSIGNER: "security@huntr.dev", ID: "CVE-2022-1430", STATE: "PUBLIC", TITLE: "Cross-site Scripting (XSS) - DOM in octoprint/octoprint", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "octoprint/octoprint", version: { version_data: [ { version_affected: "<", version_value: "1.8.0", }, ], }, }, ], }, vendor_name: "octoprint", }, ], }, }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "Cross-site Scripting (XSS) - DOM in GitHub repository octoprint/octoprint prior to 1.8.0.", }, ], }, impact: { cvss: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H", version: "3.0", }, }, problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", }, ], }, ], }, references: { reference_data: [ { name: "https://huntr.dev/bounties/0cd30d71-1e32-4a0b-b4c3-faaa1907b541", refsource: "CONFIRM", url: "https://huntr.dev/bounties/0cd30d71-1e32-4a0b-b4c3-faaa1907b541", }, { name: "https://github.com/octoprint/octoprint/commit/8087528e4a7ddd15c7d95ff662deb5ef7de90045", refsource: "MISC", url: "https://github.com/octoprint/octoprint/commit/8087528e4a7ddd15c7d95ff662deb5ef7de90045", }, ], }, source: { advisory: "0cd30d71-1e32-4a0b-b4c3-faaa1907b541", discovery: "EXTERNAL", }, }, }, }, cveMetadata: { assignerOrgId: "c09c270a-b464-47c1-9133-acb35b22c19a", assignerShortName: "@huntrdev", cveId: "CVE-2022-1430", datePublished: "2022-05-18T10:00:14", dateReserved: "2022-04-22T00:00:00", dateUpdated: "2024-08-03T00:03:06.267Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-49377
Vulnerability from cvelistv5
Published
2024-11-05 18:20
Modified
2024-11-05 19:01
Severity ?
EPSS score ?
Summary
OctoPrint provides a web interface for controlling consumer 3D printers. OctoPrint versions up until and including 1.10.2 contain reflected XSS vulnerabilities in the login dialog and the standalone application key confirmation dialog. An attacker who successfully talked a victim into clicking on a specially crafted login link, or a malicious app running on a victim's computer triggering the application key workflow with specially crafted parameters and then redirecting the victim to the related standalone confirmation dialog could use this to retrieve or modify sensitive configuration settings, interrupt prints or otherwise interact with the OctoPrint instance in a malicious way. The above mentioned specific vulnerabilities of the login dialog and the standalone application key confirmation dialog have been patched in the bugfix release 1.10.3 by individual escaping of the detected locations. A global change throughout all of OctoPrint's templating system with the upcoming 1.11.0 release will handle this further, switching to globally enforced automatic escaping and thus reducing the attack surface in general. The latter will also improve the security of third party plugins. During a transition period, third party plugins will be able to opt into the automatic escaping. With OctoPrint 1.13.0, automatic escaping will be switched over to be enforced even for third party plugins, unless they explicitly opt-out.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/OctoPrint/OctoPrint/security/advisories/GHSA-xvxq-g8hw-fx4g | x_refsource_CONFIRM |
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2024-49377", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-11-05T19:01:15.891085Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-11-05T19:01:22.444Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { product: "OctoPrint", vendor: "OctoPrint", versions: [ { status: "affected", version: "< 1.10.3", }, ], }, ], descriptions: [ { lang: "en", value: "OctoPrint provides a web interface for controlling consumer 3D printers. OctoPrint versions up until and including 1.10.2 contain reflected XSS vulnerabilities in the login dialog and the standalone application key confirmation dialog. An attacker who successfully talked a victim into clicking on a specially crafted login link, or a malicious app running on a victim's computer triggering the application key workflow with specially crafted parameters and then redirecting the victim to the related standalone confirmation dialog could use this to retrieve or modify sensitive configuration settings, interrupt prints or otherwise interact with the OctoPrint instance in a malicious way. The above mentioned specific vulnerabilities of the login dialog and the standalone application key confirmation dialog have been patched in the bugfix release 1.10.3 by individual escaping of the detected locations. A global change throughout all of OctoPrint's templating system with the upcoming 1.11.0 release will handle this further, switching to globally enforced automatic escaping and thus reducing the attack surface in general. The latter will also improve the security of third party plugins. During a transition period, third party plugins will be able to opt into the automatic escaping. With OctoPrint 1.13.0, automatic escaping will be switched over to be enforced even for third party plugins, unless they explicitly opt-out.", }, ], metrics: [ { cvssV3_1: { attackComplexity: "LOW", attackVector: "ADJACENT_NETWORK", availabilityImpact: "LOW", baseScore: 5.5, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L", version: "3.1", }, }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-79", description: "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", lang: "en", type: "CWE", }, ], }, { descriptions: [ { cweId: "CWE-80", description: "CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2024-11-05T18:20:27.173Z", orgId: "a0819718-46f1-4df5-94e2-005712e83aaa", shortName: "GitHub_M", }, references: [ { name: "https://github.com/OctoPrint/OctoPrint/security/advisories/GHSA-xvxq-g8hw-fx4g", tags: [ "x_refsource_CONFIRM", ], url: "https://github.com/OctoPrint/OctoPrint/security/advisories/GHSA-xvxq-g8hw-fx4g", }, ], source: { advisory: "GHSA-xvxq-g8hw-fx4g", discovery: "UNKNOWN", }, title: "Jinja2 Templates are vulnerable to XSS attacks due to their configuration in OctoPrint", }, }, cveMetadata: { assignerOrgId: "a0819718-46f1-4df5-94e2-005712e83aaa", assignerShortName: "GitHub_M", cveId: "CVE-2024-49377", datePublished: "2024-11-05T18:20:27.173Z", dateReserved: "2024-10-14T13:56:34.812Z", dateUpdated: "2024-11-05T19:01:22.444Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2023-41047
Vulnerability from cvelistv5
Published
2023-10-09 15:18
Modified
2024-09-19 16:47
Severity ?
EPSS score ?
Summary
OctoPrint is a web interface for 3D printers. OctoPrint versions up until and including 1.9.2 contain a vulnerability that allows malicious admins to configure a specially crafted GCODE script that will allow code execution during rendering of that script. An attacker might use this to extract data managed by OctoPrint, or manipulate data managed by OctoPrint, as well as execute arbitrary commands with the rights of the OctoPrint process on the server system. OctoPrint versions from 1.9.3 onward have been patched. Administrators of OctoPrint instances are advised to make sure they can trust all other administrators on their instance and to also not blindly configure arbitrary GCODE scripts found online or provided to them by third parties.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/OctoPrint/OctoPrint/security/advisories/GHSA-fwfg-vprh-97ph | x_refsource_CONFIRM | |
| https://github.com/OctoPrint/OctoPrint/commit/d0072cff894509c77e243d6562245ad3079e17db | x_refsource_MISC | |
| https://github.com/OctoPrint/OctoPrint/releases/tag/1.9.3 | x_refsource_MISC |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-02T18:46:11.828Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { name: "https://github.com/OctoPrint/OctoPrint/security/advisories/GHSA-fwfg-vprh-97ph", tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "https://github.com/OctoPrint/OctoPrint/security/advisories/GHSA-fwfg-vprh-97ph", }, { name: "https://github.com/OctoPrint/OctoPrint/commit/d0072cff894509c77e243d6562245ad3079e17db", tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://github.com/OctoPrint/OctoPrint/commit/d0072cff894509c77e243d6562245ad3079e17db", }, { name: "https://github.com/OctoPrint/OctoPrint/releases/tag/1.9.3", tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://github.com/OctoPrint/OctoPrint/releases/tag/1.9.3", }, ], title: "CVE Program Container", }, { affected: [ { cpes: [ "cpe:2.3:a:octoprint:octoprint:*:*:*:*:*:*:*:*", ], defaultStatus: "unknown", product: "octoprint", vendor: "octoprint", versions: [ { lessThan: "1.9.3", status: "affected", version: "0", versionType: "custom", }, ], }, ], metrics: [ { other: { content: { id: "CVE-2023-41047", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "total", }, ], role: "CISA Coordinator", timestamp: "2024-09-19T16:43:52.751548Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-09-19T16:47:17.108Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { product: "OctoPrint", vendor: "OctoPrint", versions: [ { status: "affected", version: "< 1.9.3", }, ], }, ], descriptions: [ { lang: "en", value: "OctoPrint is a web interface for 3D printers. OctoPrint versions up until and including 1.9.2 contain a vulnerability that allows malicious admins to configure a specially crafted GCODE script that will allow code execution during rendering of that script. An attacker might use this to extract data managed by OctoPrint, or manipulate data managed by OctoPrint, as well as execute arbitrary commands with the rights of the OctoPrint process on the server system. OctoPrint versions from 1.9.3 onward have been patched. Administrators of OctoPrint instances are advised to make sure they can trust all other administrators on their instance and to also not blindly configure arbitrary GCODE scripts found online or provided to them by third parties.", }, ], metrics: [ { cvssV3_1: { attackComplexity: "LOW", attackVector: "ADJACENT_NETWORK", availabilityImpact: "LOW", baseScore: 6.2, baseSeverity: "MEDIUM", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "HIGH", scope: "UNCHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.1/AV:A/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:L", version: "3.1", }, }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-1336", description: "CWE-1336: Improper Neutralization of Special Elements Used in a Template Engine", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2023-10-09T15:18:06.331Z", orgId: "a0819718-46f1-4df5-94e2-005712e83aaa", shortName: "GitHub_M", }, references: [ { name: "https://github.com/OctoPrint/OctoPrint/security/advisories/GHSA-fwfg-vprh-97ph", tags: [ "x_refsource_CONFIRM", ], url: "https://github.com/OctoPrint/OctoPrint/security/advisories/GHSA-fwfg-vprh-97ph", }, { name: "https://github.com/OctoPrint/OctoPrint/commit/d0072cff894509c77e243d6562245ad3079e17db", tags: [ "x_refsource_MISC", ], url: "https://github.com/OctoPrint/OctoPrint/commit/d0072cff894509c77e243d6562245ad3079e17db", }, { name: "https://github.com/OctoPrint/OctoPrint/releases/tag/1.9.3", tags: [ "x_refsource_MISC", ], url: "https://github.com/OctoPrint/OctoPrint/releases/tag/1.9.3", }, ], source: { advisory: "GHSA-fwfg-vprh-97ph", discovery: "UNKNOWN", }, title: "Improper Neutralization of Special Elements Used in a Template Engine in OctoPrint", }, }, cveMetadata: { assignerOrgId: "a0819718-46f1-4df5-94e2-005712e83aaa", assignerShortName: "GitHub_M", cveId: "CVE-2023-41047", datePublished: "2023-10-09T15:18:06.331Z", dateReserved: "2023-08-22T16:57:23.933Z", dateUpdated: "2024-09-19T16:47:17.108Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
Vulnerability from fkie_nvd
Published
2022-09-21 10:15
Modified
2024-11-21 07:01
Severity ?
Summary
Unrestricted Upload of File with Dangerous Type in GitHub repository octoprint/octoprint prior to 1.8.3.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| security@huntr.dev | https://github.com/octoprint/octoprint/commit/3e3c11811e216fb371a33e28412df83f9701e5b0 | Patch, Third Party Advisory | |
| security@huntr.dev | https://huntr.dev/bounties/b966c74d-6f3f-49fe-b40a-eaf25e362c56 | Exploit, Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/octoprint/octoprint/commit/3e3c11811e216fb371a33e28412df83f9701e5b0 | Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://huntr.dev/bounties/b966c74d-6f3f-49fe-b40a-eaf25e362c56 | Exploit, Patch, Third Party Advisory |
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:octoprint:octoprint:*:*:*:*:*:*:*:*", matchCriteriaId: "900F81F7-9FC4-44CE-ABD6-1E82DC120B4B", versionEndExcluding: "1.8.3", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "Unrestricted Upload of File with Dangerous Type in GitHub repository octoprint/octoprint prior to 1.8.3.", }, { lang: "es", value: "Una Descarga sin Restricciones de Archivos de Tipo Peligroso en el repositorio GitHub octoprint/octoprint versiones anteriores a 1.8.3", }, ], id: "CVE-2022-2872", lastModified: "2024-11-21T07:01:50.910", metrics: { cvssMetricV30: [ { cvssData: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 3.7, baseSeverity: "LOW", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N", version: "3.0", }, exploitabilityScore: 1.2, impactScore: 2.5, source: "security@huntr.dev", type: "Secondary", }, ], cvssMetricV31: [ { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 5.4, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "LOW", scope: "CHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", version: "3.1", }, exploitabilityScore: 2.3, impactScore: 2.7, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2022-09-21T10:15:09.327", references: [ { source: "security@huntr.dev", tags: [ "Patch", "Third Party Advisory", ], url: "https://github.com/octoprint/octoprint/commit/3e3c11811e216fb371a33e28412df83f9701e5b0", }, { source: "security@huntr.dev", tags: [ "Exploit", "Patch", "Third Party Advisory", ], url: "https://huntr.dev/bounties/b966c74d-6f3f-49fe-b40a-eaf25e362c56", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Patch", "Third Party Advisory", ], url: "https://github.com/octoprint/octoprint/commit/3e3c11811e216fb371a33e28412df83f9701e5b0", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Exploit", "Patch", "Third Party Advisory", ], url: "https://huntr.dev/bounties/b966c74d-6f3f-49fe-b40a-eaf25e362c56", }, ], sourceIdentifier: "security@huntr.dev", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-434", }, ], source: "security@huntr.dev", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2022-09-21 12:15
Modified
2024-11-21 07:18
Severity ?
Summary
Improper Privilege Management in GitHub repository octoprint/octoprint prior to 1.8.3.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| security@huntr.dev | https://github.com/octoprint/octoprint/commit/ef95ef1c101b79394f134e8fce000e6bae046571 | Patch, Third Party Advisory | |
| security@huntr.dev | https://huntr.dev/bounties/f45c24cb-9104-4c6e-a9e1-5c7e75e83884 | Exploit, Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/octoprint/octoprint/commit/ef95ef1c101b79394f134e8fce000e6bae046571 | Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://huntr.dev/bounties/f45c24cb-9104-4c6e-a9e1-5c7e75e83884 | Exploit, Patch, Third Party Advisory |
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:octoprint:octoprint:*:*:*:*:*:*:*:*", matchCriteriaId: "900F81F7-9FC4-44CE-ABD6-1E82DC120B4B", versionEndExcluding: "1.8.3", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "Improper Privilege Management in GitHub repository octoprint/octoprint prior to 1.8.3.", }, { lang: "es", value: "Una Administración Inapropiada de Privilegios en el repositorio de GitHub octoprint/octoprint versiones anteriores a 1.8.3", }, ], id: "CVE-2022-3068", lastModified: "2024-11-21T07:18:45.370", metrics: { cvssMetricV30: [ { cvssData: { attackComplexity: "LOW", attackVector: "LOCAL", availabilityImpact: "LOW", baseScore: 5.3, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", version: "3.0", }, exploitabilityScore: 1.8, impactScore: 3.4, source: "security@huntr.dev", type: "Secondary", }, ], cvssMetricV31: [ { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 8.8, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, exploitabilityScore: 2.8, impactScore: 5.9, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2022-09-21T12:15:10.280", references: [ { source: "security@huntr.dev", tags: [ "Patch", "Third Party Advisory", ], url: "https://github.com/octoprint/octoprint/commit/ef95ef1c101b79394f134e8fce000e6bae046571", }, { source: "security@huntr.dev", tags: [ "Exploit", "Patch", "Third Party Advisory", ], url: "https://huntr.dev/bounties/f45c24cb-9104-4c6e-a9e1-5c7e75e83884", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Patch", "Third Party Advisory", ], url: "https://github.com/octoprint/octoprint/commit/ef95ef1c101b79394f134e8fce000e6bae046571", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Exploit", "Patch", "Third Party Advisory", ], url: "https://huntr.dev/bounties/f45c24cb-9104-4c6e-a9e1-5c7e75e83884", }, ], sourceIdentifier: "security@huntr.dev", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-269", }, ], source: "security@huntr.dev", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2022-10-19 13:15
Modified
2024-11-21 07:19
Severity ?
Summary
Failure to Sanitize Special Elements into a Different Plane (Special Element Injection) in GitHub repository octoprint/octoprint prior to 1.8.3.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| security@huntr.dev | https://github.com/octoprint/octoprint/commit/3cca3a43f3d085e9bbe5a5840c8255bb1b5d052e | Patch, Third Party Advisory | |
| security@huntr.dev | https://huntr.dev/bounties/2d1db3c9-93e8-4902-a55b-5ea53c22aa11 | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/octoprint/octoprint/commit/3cca3a43f3d085e9bbe5a5840c8255bb1b5d052e | Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://huntr.dev/bounties/2d1db3c9-93e8-4902-a55b-5ea53c22aa11 | Exploit, Third Party Advisory |
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:octoprint:octoprint:*:*:*:*:*:*:*:*", matchCriteriaId: "900F81F7-9FC4-44CE-ABD6-1E82DC120B4B", versionEndExcluding: "1.8.3", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "Failure to Sanitize Special Elements into a Different Plane (Special Element Injection) in GitHub repository octoprint/octoprint prior to 1.8.3.", }, { lang: "es", value: "Un Fallo en el Saneo de Elementos Especiales en un Plano Diferente (Inyección de Elementos Especiales) en el repositorio de GitHub octoprint/octoprint versiones anteriores a 1.8.3", }, ], id: "CVE-2022-3607", lastModified: "2024-11-21T07:19:52.263", metrics: { cvssMetricV30: [ { cvssData: { attackComplexity: "LOW", attackVector: "LOCAL", availabilityImpact: "NONE", baseScore: 6, baseSeverity: "MEDIUM", confidentialityImpact: "HIGH", integrityImpact: "NONE", privilegesRequired: "HIGH", scope: "CHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N", version: "3.0", }, exploitabilityScore: 1.5, impactScore: 4, source: "security@huntr.dev", type: "Secondary", }, ], cvssMetricV31: [ { cvssData: { attackComplexity: "LOW", attackVector: "LOCAL", availabilityImpact: "NONE", baseScore: 6, baseSeverity: "MEDIUM", confidentialityImpact: "HIGH", integrityImpact: "NONE", privilegesRequired: "HIGH", scope: "CHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N", version: "3.1", }, exploitabilityScore: 1.5, impactScore: 4, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2022-10-19T13:15:08.840", references: [ { source: "security@huntr.dev", tags: [ "Patch", "Third Party Advisory", ], url: "https://github.com/octoprint/octoprint/commit/3cca3a43f3d085e9bbe5a5840c8255bb1b5d052e", }, { source: "security@huntr.dev", tags: [ "Exploit", "Third Party Advisory", ], url: "https://huntr.dev/bounties/2d1db3c9-93e8-4902-a55b-5ea53c22aa11", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Patch", "Third Party Advisory", ], url: "https://github.com/octoprint/octoprint/commit/3cca3a43f3d085e9bbe5a5840c8255bb1b5d052e", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Exploit", "Third Party Advisory", ], url: "https://huntr.dev/bounties/2d1db3c9-93e8-4902-a55b-5ea53c22aa11", }, ], sourceIdentifier: "security@huntr.dev", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-75", }, ], source: "security@huntr.dev", type: "Secondary", }, { description: [ { lang: "en", value: "CWE-74", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2024-05-14 16:17
Modified
2025-04-10 20:33
Severity ?
7.1 (High) - CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:L
9.4 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L
9.4 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L
Summary
OctoPrint provides a web interface for controlling consumer 3D printers. OctoPrint versions up until and including 1.10.0 contain a vulnerability that allows an unauthenticated attacker to completely bypass the authentication if the `autologinLocal` option is enabled within `config.yaml`, even if they come from networks that are not configured as `localNetworks`, spoofing their IP via the `X-Forwarded-For` header. If autologin is not enabled, this vulnerability does not have any impact. The vulnerability has been patched in version 1.10.1. Until the patch has been applied, OctoPrint administrators who have autologin enabled on their instances should disable it and/or to make the instance inaccessible from potentially hostile networks like the internet.
References
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:octoprint:octoprint:*:*:*:*:*:*:*:*", matchCriteriaId: "17A95EDB-8459-432C-A6FF-E84427A4EB28", versionEndExcluding: "1.10.1", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "OctoPrint provides a web interface for controlling consumer 3D printers. OctoPrint versions up until and including 1.10.0 contain a vulnerability that allows an unauthenticated attacker to completely bypass the authentication if the `autologinLocal` option is enabled within `config.yaml`, even if they come from networks that are not configured as `localNetworks`, spoofing their IP via the `X-Forwarded-For` header. If autologin is not enabled, this vulnerability does not have any impact. The vulnerability has been patched in version 1.10.1. Until the patch has been applied, OctoPrint administrators who have autologin enabled on their instances should disable it and/or to make the instance inaccessible from potentially hostile networks like the internet.", }, { lang: "es", value: "OctoPrint proporciona una interfaz web para controlar impresoras 3D de consumo. Las versiones de OctoPrint hasta la 1.10.0 incluida contienen una vulnerabilidad que permite a un atacante no autenticado omitir completamente la autenticación si la opción `autologinLocal` está habilitada dentro de `config.yaml`, incluso si provienen de redes que no están configuradas como `localNetworks `, falsificando su IP a través del encabezado `X-Forwarded-For`. Si el inicio de sesión automático no está habilitado, esta vulnerabilidad no tiene ningún impacto. La vulnerabilidad ha sido parcheada en la versión 1.10.1. Hasta que se haya aplicado el parche, los administradores de OctoPrint que tengan habilitado el inicio de sesión automático en sus instancias deben deshabilitarlo y/o hacer que la instancia sea inaccesible desde redes potencialmente hostiles como Internet.", }, ], id: "CVE-2024-32977", lastModified: "2025-04-10T20:33:40.387", metrics: { cvssMetricV31: [ { cvssData: { attackComplexity: "HIGH", attackVector: "ADJACENT_NETWORK", availabilityImpact: "LOW", baseScore: 7.1, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:L", version: "3.1", }, exploitabilityScore: 1.6, impactScore: 5.5, source: "security-advisories@github.com", type: "Secondary", }, { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "LOW", baseScore: 9.4, baseSeverity: "CRITICAL", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L", version: "3.1", }, exploitabilityScore: 3.9, impactScore: 5.5, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2024-05-14T16:17:12.590", references: [ { source: "security-advisories@github.com", tags: [ "Patch", ], url: "https://github.com/OctoPrint/OctoPrint/commit/5afbec8d23508edc25b0f1bdef1620580136add4", }, { source: "security-advisories@github.com", tags: [ "Exploit", "Vendor Advisory", ], url: "https://github.com/OctoPrint/OctoPrint/security/advisories/GHSA-2vjq-hg5w-5gm7", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Patch", ], url: "https://github.com/OctoPrint/OctoPrint/commit/5afbec8d23508edc25b0f1bdef1620580136add4", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Exploit", "Vendor Advisory", ], url: "https://github.com/OctoPrint/OctoPrint/security/advisories/GHSA-2vjq-hg5w-5gm7", }, ], sourceIdentifier: "security-advisories@github.com", vulnStatus: "Analyzed", weaknesses: [ { description: [ { lang: "en", value: "CWE-290", }, ], source: "security-advisories@github.com", type: "Secondary", }, { description: [ { lang: "en", value: "CWE-290", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2024-01-31 18:15
Modified
2024-11-21 08:58
Severity ?
4.2 (Medium) - CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L
4.9 (Medium) - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H
4.9 (Medium) - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H
Summary
OctoPrint is a web interface for 3D printer.s OctoPrint versions up until and including 1.9.3 contain a vulnerability that allows malicious admins to change the password of other admin accounts, including their own, without having to repeat their password. An attacker who managed to hijack an admin account might use this to lock out actual admins from their OctoPrint instance. The vulnerability will be patched in version 1.10.0.
References
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:octoprint:octoprint:*:*:*:*:*:*:*:*", matchCriteriaId: "216857C0-BBE7-49CA-890B-A3A277108CF6", versionEndIncluding: "1.9.3", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "OctoPrint is a web interface for 3D printer.s OctoPrint versions up until and including 1.9.3 contain a vulnerability that allows malicious admins to change the password of other admin accounts, including their own, without having to repeat their password. An attacker who managed to hijack an admin account might use this to lock out actual admins from their OctoPrint instance. The vulnerability will be patched in version 1.10.0.", }, { lang: "es", value: "OctoPrint es una interfaz web para impresoras 3D. Las versiones de OctoPrint hasta la 1.9.3 incluida contienen una vulnerabilidad que permite a administradores malintencionados cambiar la contraseña de otras cuentas de administrador, incluida la suya propia, sin tener que repetir su contraseña. Un atacante que lograra secuestrar una cuenta de administrador podría usar esto para bloquear a los administradores reales de su instancia de OctoPrint. La vulnerabilidad se parcheará en la versión 1.10.0.", }, ], id: "CVE-2024-23637", lastModified: "2024-11-21T08:58:03.590", metrics: { cvssMetricV31: [ { cvssData: { attackComplexity: "LOW", attackVector: "LOCAL", availabilityImpact: "LOW", baseScore: 4.2, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "HIGH", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L", version: "3.1", }, exploitabilityScore: 0.8, impactScore: 3.4, source: "security-advisories@github.com", type: "Secondary", }, { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 4.9, baseSeverity: "MEDIUM", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "HIGH", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, exploitabilityScore: 1.2, impactScore: 3.6, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2024-01-31T18:15:49.810", references: [ { source: "security-advisories@github.com", tags: [ "Patch", ], url: "https://github.com/OctoPrint/OctoPrint/commit/1729d167b4ae4a5835bbc7211b92c6828b1c4125", }, { source: "security-advisories@github.com", tags: [ "Release Notes", ], url: "https://github.com/OctoPrint/OctoPrint/releases/tag/1.10.0rc1", }, { source: "security-advisories@github.com", tags: [ "Third Party Advisory", ], url: "https://github.com/OctoPrint/OctoPrint/security/advisories/GHSA-5626-pw9c-hmjr", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Patch", ], url: "https://github.com/OctoPrint/OctoPrint/commit/1729d167b4ae4a5835bbc7211b92c6828b1c4125", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Release Notes", ], url: "https://github.com/OctoPrint/OctoPrint/releases/tag/1.10.0rc1", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", ], url: "https://github.com/OctoPrint/OctoPrint/security/advisories/GHSA-5626-pw9c-hmjr", }, ], sourceIdentifier: "security-advisories@github.com", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-287", }, { lang: "en", value: "CWE-620", }, ], source: "security-advisories@github.com", type: "Secondary", }, { description: [ { lang: "en", value: "CWE-287", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2024-11-05 19:15
Modified
2024-12-18 16:34
Severity ?
5.3 (Medium) - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Summary
OctoPrint provides a web interface for controlling consumer 3D printers. OctoPrint versions up until and including 1.10.2 contain a vulnerability that allows an attacker that has gained temporary control over an authenticated victim's OctoPrint browser session to retrieve/recreate/delete the user's or - if the victim has admin permissions - the global API key without having to reauthenticate by re-entering the user account's password. An attacker could use a stolen API key to access OctoPrint through its API, or disrupt workflows depending on the API key they deleted. This vulnerability will be patched in version 1.10.3 and all users are advised to upgrade. There are no known workarounds for this vulnerability.
References
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:octoprint:octoprint:*:*:*:*:*:*:*:*", matchCriteriaId: "97EAFBBD-8434-4B24-9D1B-D4556C5D7996", versionEndExcluding: "1.10.3", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "OctoPrint provides a web interface for controlling consumer 3D printers. OctoPrint versions up until and including 1.10.2 contain a vulnerability that allows an attacker that has gained temporary control over an authenticated victim's OctoPrint browser session to retrieve/recreate/delete the user's or - if the victim has admin permissions - the global API key without having to reauthenticate by re-entering the user account's password. An attacker could use a stolen API key to access OctoPrint through its API, or disrupt workflows depending on the API key they deleted. This vulnerability will be patched in version 1.10.3 and all users are advised to upgrade. There are no known workarounds for this vulnerability.", }, { lang: "es", value: "OctoPrint proporciona una interfaz web para controlar impresoras 3D de consumo. Las versiones de OctoPrint hasta la 1.10.2 incluida contienen una vulnerabilidad que permite a un atacante que ha obtenido control temporal sobre la sesión del navegador OctoPrint de una víctima autenticada recuperar/recrear/eliminar la clave API del usuario o (si la víctima tiene permisos de administrador) la clave API global sin tener que volver a autenticarse ingresando nuevamente la contraseña de la cuenta de usuario. Un atacante podría usar una clave API robada para acceder a OctoPrint a través de su API o interrumpir los flujos de trabajo según la clave API que haya eliminado. Esta vulnerabilidad se solucionará en la versión 1.10.3 y se recomienda a todos los usuarios que actualicen. No se conocen workarounds para esta vulnerabilidad.", }, ], id: "CVE-2024-51493", lastModified: "2024-12-18T16:34:37.497", metrics: { cvssMetricV31: [ { cvssData: { attackComplexity: "LOW", attackVector: "LOCAL", availabilityImpact: "LOW", baseScore: 5.3, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", version: "3.1", }, exploitabilityScore: 1.8, impactScore: 3.4, source: "security-advisories@github.com", type: "Secondary", }, { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 6.5, baseSeverity: "MEDIUM", confidentialityImpact: "HIGH", integrityImpact: "NONE", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", version: "3.1", }, exploitabilityScore: 2.8, impactScore: 3.6, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2024-11-05T19:15:07.730", references: [ { source: "security-advisories@github.com", tags: [ "Vendor Advisory", ], url: "https://github.com/OctoPrint/OctoPrint/security/advisories/GHSA-cc6x-8cc7-9953", }, ], sourceIdentifier: "security-advisories@github.com", vulnStatus: "Analyzed", weaknesses: [ { description: [ { lang: "en", value: "CWE-620", }, ], source: "security-advisories@github.com", type: "Secondary", }, { description: [ { lang: "en", value: "CWE-306", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2024-03-18 22:15
Modified
2025-01-08 16:22
Severity ?
4.0 (Medium) - CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:L
4.8 (Medium) - CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
4.8 (Medium) - CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
Summary
OctoPrint provides a web interface for controlling consumer 3D printers. OctoPrint versions up until and including 1.9.3 contain a vulnerability that allows malicious admins to configure or talk a victim with administrator rights into configuring a webcam snapshot URL which when tested through the "Test" button included in the web interface will execute JavaScript code in the victims browser when attempting to render the snapshot image. An attacker who successfully talked a victim with admin rights into performing a snapshot test with such a crafted URL could use this to retrieve or modify sensitive configuration settings, interrupt prints or otherwise interact with the OctoPrint instance in a malicious way. The vulnerability is patched in version 1.10.0rc3. OctoPrint administrators are strongly advised to thoroughly vet who has admin access to their installation and what settings they modify based on instructions by strangers.
References
Impacted products
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:octoprint:octoprint:*:*:*:*:*:*:*:*", matchCriteriaId: "1C2ECD74-6DA3-4D55-83C8-6C31AF51E6E4", versionEndExcluding: "1.10.0", vulnerable: true, }, { criteria: "cpe:2.3:a:octoprint:octoprint:1.10.0:rc1:*:*:*:*:*:*", matchCriteriaId: "9C46DEBF-5275-42D9-9007-AEAC0EB9A2ED", vulnerable: true, }, { criteria: "cpe:2.3:a:octoprint:octoprint:1.10.0:rc2:*:*:*:*:*:*", matchCriteriaId: "5DF9ABC6-4D04-433B-803F-C3E537115D74", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "OctoPrint provides a web interface for controlling consumer 3D printers. OctoPrint versions up until and including 1.9.3 contain a vulnerability that allows malicious admins to configure or talk a victim with administrator rights into configuring a webcam snapshot URL which when tested through the \"Test\" button included in the web interface will execute JavaScript code in the victims browser when attempting to render the snapshot image. An attacker who successfully talked a victim with admin rights into performing a snapshot test with such a crafted URL could use this to retrieve or modify sensitive configuration settings, interrupt prints or otherwise interact with the OctoPrint instance in a malicious way. The vulnerability is patched in version 1.10.0rc3. OctoPrint administrators are strongly advised to thoroughly vet who has admin access to their installation and what settings they modify based on instructions by strangers.", }, { lang: "es", value: "OctoPrint proporciona una interfaz web para controlar impresoras 3D de consumo. Las versiones de OctoPrint hasta la 1.9.3 incluida contienen una vulnerabilidad que permite a administradores maliciosos configurar o convencer a una víctima con derechos de administrador para que configure una URL de instantánea de cámara web que, cuando se prueba a través del botón \"Probar\" incluido en la interfaz web, ejecutará código JavaScript en el navegador de la víctima al intentar renderizar la imagen instantánea. Un atacante que consiguiera convencer a una víctima con derechos de administrador para que realizara una prueba instantánea con una URL tan manipulada podría utilizarla para recuperar o modificar ajustes de configuración confidenciales, interrumpir impresiones o interactuar de otro modo con la instancia de OctoPrint de forma maliciosa. La vulnerabilidad está parcheada en la versión 1.10.0rc3. Se recomienda encarecidamente a los administradores de OctoPrint que investiguen minuciosamente quién tiene acceso de administrador a su instalación y qué configuraciones modifican según instrucciones de extraños.", }, ], id: "CVE-2024-28237", lastModified: "2025-01-08T16:22:58.707", metrics: { cvssMetricV31: [ { cvssData: { attackComplexity: "LOW", attackVector: "LOCAL", availabilityImpact: "LOW", baseScore: 4, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "HIGH", scope: "UNCHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:L", version: "3.1", }, exploitabilityScore: 0.6, impactScore: 3.4, source: "security-advisories@github.com", type: "Secondary", }, { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 4.8, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "HIGH", scope: "CHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N", version: "3.1", }, exploitabilityScore: 1.7, impactScore: 2.7, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2024-03-18T22:15:07.980", references: [ { source: "security-advisories@github.com", tags: [ "Patch", ], url: "https://github.com/OctoPrint/OctoPrint/commit/779894c1bc6478332d14bc9ed1006df1354eb517", }, { source: "security-advisories@github.com", tags: [ "Exploit", "Vendor Advisory", ], url: "https://github.com/OctoPrint/OctoPrint/security/advisories/GHSA-x7mf-wrh9-r76c", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Patch", ], url: "https://github.com/OctoPrint/OctoPrint/commit/779894c1bc6478332d14bc9ed1006df1354eb517", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Exploit", "Vendor Advisory", ], url: "https://github.com/OctoPrint/OctoPrint/security/advisories/GHSA-x7mf-wrh9-r76c", }, ], sourceIdentifier: "security-advisories@github.com", vulnStatus: "Analyzed", weaknesses: [ { description: [ { lang: "en", value: "CWE-79", }, ], source: "security-advisories@github.com", type: "Secondary", }, { description: [ { lang: "en", value: "CWE-79", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2021-05-11 14:15
Modified
2024-11-21 06:07
Severity ?
Summary
The Logging subsystem in OctoPrint before 1.6.0 has incorrect access control because it attempts to manage files that are not *.log files.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://github.com/OctoPrint/OctoPrint/releases/tag/1.6.0 | Release Notes, Third Party Advisory | |
| cve@mitre.org | https://octoprint.org/blog/2021/04/27/new-release-1.6.0/ | Release Notes, Third Party Advisory | |
| cve@mitre.org | https://www.brzozowski.io/web-applications/2021/05/11/the-insecure-story-of-octoprint.html | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/OctoPrint/OctoPrint/releases/tag/1.6.0 | Release Notes, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://octoprint.org/blog/2021/04/27/new-release-1.6.0/ | Release Notes, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.brzozowski.io/web-applications/2021/05/11/the-insecure-story-of-octoprint.html | Exploit, Third Party Advisory |
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:octoprint:octoprint:*:*:*:*:*:*:*:*", matchCriteriaId: "25AD59E6-30E8-4C8C-9AB6-3A4DAE317112", versionEndExcluding: "1.6.0", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "The Logging subsystem in OctoPrint before 1.6.0 has incorrect access control because it attempts to manage files that are not *.log files.", }, { lang: "es", value: "El subsistema de Registro en OctoPrint versiones anteriores a 1.6.0, presenta un control de acceso incorrecto porque intenta administrar archivos que no son archivos *.log", }, ], id: "CVE-2021-32560", lastModified: "2024-11-21T06:07:16.373", metrics: { cvssMetricV2: [ { acInsufInfo: false, baseSeverity: "MEDIUM", cvssData: { accessComplexity: "LOW", accessVector: "NETWORK", authentication: "SINGLE", availabilityImpact: "NONE", baseScore: 4, confidentialityImpact: "PARTIAL", integrityImpact: "NONE", vectorString: "AV:N/AC:L/Au:S/C:P/I:N/A:N", version: "2.0", }, exploitabilityScore: 8, impactScore: 2.9, obtainAllPrivilege: false, obtainOtherPrivilege: false, obtainUserPrivilege: false, source: "nvd@nist.gov", type: "Primary", userInteractionRequired: false, }, ], cvssMetricV31: [ { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 6.5, baseSeverity: "MEDIUM", confidentialityImpact: "HIGH", integrityImpact: "NONE", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", version: "3.1", }, exploitabilityScore: 2.8, impactScore: 3.6, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2021-05-11T14:15:07.363", references: [ { source: "cve@mitre.org", tags: [ "Release Notes", "Third Party Advisory", ], url: "https://github.com/OctoPrint/OctoPrint/releases/tag/1.6.0", }, { source: "cve@mitre.org", tags: [ "Release Notes", "Third Party Advisory", ], url: "https://octoprint.org/blog/2021/04/27/new-release-1.6.0/", }, { source: "cve@mitre.org", tags: [ "Exploit", "Third Party Advisory", ], url: "https://www.brzozowski.io/web-applications/2021/05/11/the-insecure-story-of-octoprint.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Release Notes", "Third Party Advisory", ], url: "https://github.com/OctoPrint/OctoPrint/releases/tag/1.6.0", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Release Notes", "Third Party Advisory", ], url: "https://octoprint.org/blog/2021/04/27/new-release-1.6.0/", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Exploit", "Third Party Advisory", ], url: "https://www.brzozowski.io/web-applications/2021/05/11/the-insecure-story-of-octoprint.html", }, ], sourceIdentifier: "cve@mitre.org", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "NVD-CWE-noinfo", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2022-09-21 12:15
Modified
2024-11-21 07:01
Severity ?
Summary
If an attacker comes into the possession of a victim's OctoPrint session cookie through whatever means, the attacker can use this cookie to authenticate as long as the victim's account exists.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| security@huntr.dev | https://github.com/octoprint/octoprint/commit/40e6217ac1a85cc5ed592873ae49db01d3005da4 | Patch, Third Party Advisory | |
| security@huntr.dev | https://huntr.dev/bounties/d27d232b-2578-4b32-b3b4-74aabdadf629 | Exploit, Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/octoprint/octoprint/commit/40e6217ac1a85cc5ed592873ae49db01d3005da4 | Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://huntr.dev/bounties/d27d232b-2578-4b32-b3b4-74aabdadf629 | Exploit, Patch, Third Party Advisory |
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:octoprint:octoprint:*:*:*:*:*:*:*:*", matchCriteriaId: "900F81F7-9FC4-44CE-ABD6-1E82DC120B4B", versionEndExcluding: "1.8.3", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "If an attacker comes into the possession of a victim's OctoPrint session cookie through whatever means, the attacker can use this cookie to authenticate as long as the victim's account exists.", }, { lang: "es", value: "Si un atacante entra en posesión de la cookie de sesión de OctoPrint de una víctima mediante cualquier medio, el atacante puede usar esta cookie para autenticarse mientras la cuenta de la víctima exista", }, ], id: "CVE-2022-2888", lastModified: "2024-11-21T07:01:52.543", metrics: { cvssMetricV30: [ { cvssData: { attackComplexity: "LOW", attackVector: "LOCAL", availabilityImpact: "NONE", baseScore: 4.4, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N", version: "3.0", }, exploitabilityScore: 1.8, impactScore: 2.5, source: "security@huntr.dev", type: "Secondary", }, ], cvssMetricV31: [ { cvssData: { attackComplexity: "LOW", attackVector: "LOCAL", availabilityImpact: "NONE", baseScore: 4.4, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N", version: "3.1", }, exploitabilityScore: 1.8, impactScore: 2.5, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2022-09-21T12:15:09.923", references: [ { source: "security@huntr.dev", tags: [ "Patch", "Third Party Advisory", ], url: "https://github.com/octoprint/octoprint/commit/40e6217ac1a85cc5ed592873ae49db01d3005da4", }, { source: "security@huntr.dev", tags: [ "Exploit", "Patch", "Third Party Advisory", ], url: "https://huntr.dev/bounties/d27d232b-2578-4b32-b3b4-74aabdadf629", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Patch", "Third Party Advisory", ], url: "https://github.com/octoprint/octoprint/commit/40e6217ac1a85cc5ed592873ae49db01d3005da4", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Exploit", "Patch", "Third Party Advisory", ], url: "https://huntr.dev/bounties/d27d232b-2578-4b32-b3b4-74aabdadf629", }, ], sourceIdentifier: "security@huntr.dev", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-613", }, ], source: "security@huntr.dev", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2022-05-18 14:15
Modified
2024-11-21 06:40
Severity ?
Summary
Cross-site Scripting (XSS) - DOM in GitHub repository octoprint/octoprint prior to 1.8.0.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| security@huntr.dev | https://github.com/octoprint/octoprint/commit/8087528e4a7ddd15c7d95ff662deb5ef7de90045 | Patch, Third Party Advisory | |
| security@huntr.dev | https://huntr.dev/bounties/0cd30d71-1e32-4a0b-b4c3-faaa1907b541 | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/octoprint/octoprint/commit/8087528e4a7ddd15c7d95ff662deb5ef7de90045 | Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://huntr.dev/bounties/0cd30d71-1e32-4a0b-b4c3-faaa1907b541 | Exploit, Third Party Advisory |
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:octoprint:octoprint:*:*:*:*:*:*:*:*", matchCriteriaId: "CDF4E52F-D6FD-49EF-A45A-1C9659EF2C14", versionEndExcluding: "1.8.0", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "Cross-site Scripting (XSS) - DOM in GitHub repository octoprint/octoprint prior to 1.8.0.", }, { lang: "es", value: "Una vulnerabilidad de tipo Cross-site Scripting (XSS) - DOM en el repositorio de GitHub octoprint/octoprint versiones anteriores a 1.8.0", }, ], id: "CVE-2022-1430", lastModified: "2024-11-21T06:40:43.087", metrics: { cvssMetricV2: [ { acInsufInfo: false, baseSeverity: "MEDIUM", cvssData: { accessComplexity: "HIGH", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "PARTIAL", baseScore: 5.1, confidentialityImpact: "PARTIAL", integrityImpact: "PARTIAL", vectorString: "AV:N/AC:H/Au:N/C:P/I:P/A:P", version: "2.0", }, exploitabilityScore: 4.9, impactScore: 6.4, obtainAllPrivilege: false, obtainOtherPrivilege: false, obtainUserPrivilege: false, source: "nvd@nist.gov", type: "Primary", userInteractionRequired: true, }, ], cvssMetricV30: [ { cvssData: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H", version: "3.0", }, exploitabilityScore: 1.6, impactScore: 5.9, source: "security@huntr.dev", type: "Secondary", }, ], cvssMetricV31: [ { cvssData: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H", version: "3.1", }, exploitabilityScore: 1.6, impactScore: 5.9, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2022-05-18T14:15:08.130", references: [ { source: "security@huntr.dev", tags: [ "Patch", "Third Party Advisory", ], url: "https://github.com/octoprint/octoprint/commit/8087528e4a7ddd15c7d95ff662deb5ef7de90045", }, { source: "security@huntr.dev", tags: [ "Exploit", "Third Party Advisory", ], url: "https://huntr.dev/bounties/0cd30d71-1e32-4a0b-b4c3-faaa1907b541", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Patch", "Third Party Advisory", ], url: "https://github.com/octoprint/octoprint/commit/8087528e4a7ddd15c7d95ff662deb5ef7de90045", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Exploit", "Third Party Advisory", ], url: "https://huntr.dev/bounties/0cd30d71-1e32-4a0b-b4c3-faaa1907b541", }, ], sourceIdentifier: "security@huntr.dev", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-79", }, ], source: "security@huntr.dev", type: "Secondary", }, { description: [ { lang: "en", value: "CWE-79", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2022-08-15 11:21
Modified
2024-11-21 07:01
Severity ?
Summary
An attacker can freely brute force username and password and can takeover any account. An attacker could easily guess user passwords and gain access to user and administrative accounts.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| security@huntr.dev | https://github.com/octoprint/octoprint/commit/82c892ba40b3741d1b7711d949e56af64f5bc2de | Patch, Third Party Advisory | |
| security@huntr.dev | https://huntr.dev/bounties/6369f355-e6ef-4469-af75-0f6ff00cde3d | Exploit, Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/octoprint/octoprint/commit/82c892ba40b3741d1b7711d949e56af64f5bc2de | Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://huntr.dev/bounties/6369f355-e6ef-4469-af75-0f6ff00cde3d | Exploit, Patch, Third Party Advisory |
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:octoprint:octoprint:*:*:*:*:*:*:*:*", matchCriteriaId: "41F628B9-62B3-4DE5-B12C-BAF02356A97A", versionEndExcluding: "1.9.0", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "An attacker can freely brute force username and password and can takeover any account. An attacker could easily guess user passwords and gain access to user and administrative accounts.", }, { lang: "es", value: "Un atacante puede forzar libremente el nombre de usuario y la contraseña y tomar el control de cualquier cuenta. Un atacante podría adivinar fácilmente las contraseñas de los usuarios y conseguir acceso a las cuentas de usuario y administrativas.", }, ], id: "CVE-2022-2822", lastModified: "2024-11-21T07:01:45.353", metrics: { cvssMetricV30: [ { cvssData: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 3.7, baseSeverity: "LOW", confidentialityImpact: "LOW", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N", version: "3.0", }, exploitabilityScore: 2.2, impactScore: 1.4, source: "security@huntr.dev", type: "Secondary", }, ], cvssMetricV31: [ { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", version: "3.1", }, exploitabilityScore: 3.9, impactScore: 3.6, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2022-08-15T11:21:32.300", references: [ { source: "security@huntr.dev", tags: [ "Patch", "Third Party Advisory", ], url: "https://github.com/octoprint/octoprint/commit/82c892ba40b3741d1b7711d949e56af64f5bc2de", }, { source: "security@huntr.dev", tags: [ "Exploit", "Patch", "Third Party Advisory", ], url: "https://huntr.dev/bounties/6369f355-e6ef-4469-af75-0f6ff00cde3d", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Patch", "Third Party Advisory", ], url: "https://github.com/octoprint/octoprint/commit/82c892ba40b3741d1b7711d949e56af64f5bc2de", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Exploit", "Patch", "Third Party Advisory", ], url: "https://huntr.dev/bounties/6369f355-e6ef-4469-af75-0f6ff00cde3d", }, ], sourceIdentifier: "security@huntr.dev", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-307", }, ], source: "security@huntr.dev", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2021-05-11 14:15
Modified
2024-11-21 06:07
Severity ?
Summary
OctoPrint before 1.6.0 allows XSS because API error messages include the values of input parameters.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://github.com/OctoPrint/OctoPrint/releases/tag/1.6.0 | Release Notes, Third Party Advisory | |
| cve@mitre.org | https://octoprint.org/blog/2021/04/27/new-release-1.6.0/ | Release Notes, Third Party Advisory | |
| cve@mitre.org | https://www.brzozowski.io/web-applications/2021/05/11/the-insecure-story-of-octoprint.html | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/OctoPrint/OctoPrint/releases/tag/1.6.0 | Release Notes, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://octoprint.org/blog/2021/04/27/new-release-1.6.0/ | Release Notes, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.brzozowski.io/web-applications/2021/05/11/the-insecure-story-of-octoprint.html | Exploit, Third Party Advisory |
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:octoprint:octoprint:*:*:*:*:*:*:*:*", matchCriteriaId: "25AD59E6-30E8-4C8C-9AB6-3A4DAE317112", versionEndExcluding: "1.6.0", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "OctoPrint before 1.6.0 allows XSS because API error messages include the values of input parameters.", }, { lang: "es", value: "OctoPrint versiones anteriores a 1.6.0, permite un ataque de tipo XSS porque los mensajes de error de la API incluyen los valores de los parámetros de entrada", }, ], id: "CVE-2021-32561", lastModified: "2024-11-21T06:07:16.520", metrics: { cvssMetricV2: [ { acInsufInfo: false, baseSeverity: "MEDIUM", cvssData: { accessComplexity: "MEDIUM", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "NONE", baseScore: 4.3, confidentialityImpact: "NONE", integrityImpact: "PARTIAL", vectorString: "AV:N/AC:M/Au:N/C:N/I:P/A:N", version: "2.0", }, exploitabilityScore: 8.6, impactScore: 2.9, obtainAllPrivilege: false, obtainOtherPrivilege: false, obtainUserPrivilege: false, source: "nvd@nist.gov", type: "Primary", userInteractionRequired: true, }, ], cvssMetricV31: [ { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 6.1, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "NONE", scope: "CHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", version: "3.1", }, exploitabilityScore: 2.8, impactScore: 2.7, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2021-05-11T14:15:07.390", references: [ { source: "cve@mitre.org", tags: [ "Release Notes", "Third Party Advisory", ], url: "https://github.com/OctoPrint/OctoPrint/releases/tag/1.6.0", }, { source: "cve@mitre.org", tags: [ "Release Notes", "Third Party Advisory", ], url: "https://octoprint.org/blog/2021/04/27/new-release-1.6.0/", }, { source: "cve@mitre.org", tags: [ "Exploit", "Third Party Advisory", ], url: "https://www.brzozowski.io/web-applications/2021/05/11/the-insecure-story-of-octoprint.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Release Notes", "Third Party Advisory", ], url: "https://github.com/OctoPrint/OctoPrint/releases/tag/1.6.0", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Release Notes", "Third Party Advisory", ], url: "https://octoprint.org/blog/2021/04/27/new-release-1.6.0/", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Exploit", "Third Party Advisory", ], url: "https://www.brzozowski.io/web-applications/2021/05/11/the-insecure-story-of-octoprint.html", }, ], sourceIdentifier: "cve@mitre.org", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-79", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2022-08-22 12:15
Modified
2024-11-21 07:01
Severity ?
Summary
Unverified Password Change in GitHub repository octoprint/octoprint prior to 1.8.3.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| security@huntr.dev | https://github.com/octoprint/octoprint/commit/1453076ee3e47fcab2dc73664ec2d61d3ef7fc4f | Patch, Third Party Advisory | |
| security@huntr.dev | https://huntr.dev/bounties/da6745e4-7bcc-4e9a-9e96-0709ec9f2477 | Exploit, Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/octoprint/octoprint/commit/1453076ee3e47fcab2dc73664ec2d61d3ef7fc4f | Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://huntr.dev/bounties/da6745e4-7bcc-4e9a-9e96-0709ec9f2477 | Exploit, Patch, Third Party Advisory |
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:octoprint:octoprint:*:*:*:*:*:*:*:*", matchCriteriaId: "900F81F7-9FC4-44CE-ABD6-1E82DC120B4B", versionEndExcluding: "1.8.3", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "Unverified Password Change in GitHub repository octoprint/octoprint prior to 1.8.3.", }, { lang: "es", value: "Un Cambio de Contraseña no Verificado en el repositorio de GitHub octoprint/octoprint versiones anteriores a 1.8.3.", }, ], id: "CVE-2022-2930", lastModified: "2024-11-21T07:01:56.477", metrics: { cvssMetricV30: [ { cvssData: { attackComplexity: "LOW", attackVector: "LOCAL", availabilityImpact: "LOW", baseScore: 5.3, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", version: "3.0", }, exploitabilityScore: 1.8, impactScore: 3.4, source: "security@huntr.dev", type: "Secondary", }, ], cvssMetricV31: [ { cvssData: { attackComplexity: "LOW", attackVector: "LOCAL", availabilityImpact: "HIGH", baseScore: 7.8, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, exploitabilityScore: 1.8, impactScore: 5.9, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2022-08-22T12:15:09.537", references: [ { source: "security@huntr.dev", tags: [ "Patch", "Third Party Advisory", ], url: "https://github.com/octoprint/octoprint/commit/1453076ee3e47fcab2dc73664ec2d61d3ef7fc4f", }, { source: "security@huntr.dev", tags: [ "Exploit", "Patch", "Third Party Advisory", ], url: "https://huntr.dev/bounties/da6745e4-7bcc-4e9a-9e96-0709ec9f2477", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Patch", "Third Party Advisory", ], url: "https://github.com/octoprint/octoprint/commit/1453076ee3e47fcab2dc73664ec2d61d3ef7fc4f", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Exploit", "Patch", "Third Party Advisory", ], url: "https://huntr.dev/bounties/da6745e4-7bcc-4e9a-9e96-0709ec9f2477", }, ], sourceIdentifier: "security@huntr.dev", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-620", }, ], source: "security@huntr.dev", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2023-10-09 16:15
Modified
2024-11-21 08:20
Severity ?
6.2 (Medium) - CVSS:3.1/AV:A/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:L
6.5 (Medium) - CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H
6.5 (Medium) - CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H
Summary
OctoPrint is a web interface for 3D printers. OctoPrint versions up until and including 1.9.2 contain a vulnerability that allows malicious admins to configure a specially crafted GCODE script that will allow code execution during rendering of that script. An attacker might use this to extract data managed by OctoPrint, or manipulate data managed by OctoPrint, as well as execute arbitrary commands with the rights of the OctoPrint process on the server system. OctoPrint versions from 1.9.3 onward have been patched. Administrators of OctoPrint instances are advised to make sure they can trust all other administrators on their instance and to also not blindly configure arbitrary GCODE scripts found online or provided to them by third parties.
References
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:octoprint:octoprint:*:*:*:*:*:*:*:*", matchCriteriaId: "6DDB94E4-F56F-4C7C-A828-B76E70051E66", versionEndExcluding: "1.9.3", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "OctoPrint is a web interface for 3D printers. OctoPrint versions up until and including 1.9.2 contain a vulnerability that allows malicious admins to configure a specially crafted GCODE script that will allow code execution during rendering of that script. An attacker might use this to extract data managed by OctoPrint, or manipulate data managed by OctoPrint, as well as execute arbitrary commands with the rights of the OctoPrint process on the server system. OctoPrint versions from 1.9.3 onward have been patched. Administrators of OctoPrint instances are advised to make sure they can trust all other administrators on their instance and to also not blindly configure arbitrary GCODE scripts found online or provided to them by third parties.", }, { lang: "es", value: "OctoPrint es una interfaz web para impresoras 3D. Las versiones de OctoPrint hasta la 1.9.2 incluida contienen una vulnerabilidad que permite a administradores malintencionados configurar un script GCODE especialmente manipulado que permitirá la ejecución de código durante la representación de ese script. Un atacante podría usar esto para extraer datos administrados por OctoPrint o manipular datos administrados por OctoPrint, así como ejecutar comandos arbitrarios con los derechos del proceso OctoPrint en el sistema servidor. Se han parcheado las versiones de OctoPrint desde 1.9.3 en adelante. Se recomienda a los administradores de instancias de OctoPrint que se aseguren de que pueden confiar en todos los demás administradores de su instancia y que tampoco configuren ciegamente scripts GCODE arbitrarios que se encuentren en línea o que les proporcionen terceros.", }, ], id: "CVE-2023-41047", lastModified: "2024-11-21T08:20:27.177", metrics: { cvssMetricV31: [ { cvssData: { attackComplexity: "LOW", attackVector: "ADJACENT_NETWORK", availabilityImpact: "LOW", baseScore: 6.2, baseSeverity: "MEDIUM", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "HIGH", scope: "UNCHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.1/AV:A/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:L", version: "3.1", }, exploitabilityScore: 0.7, impactScore: 5.5, source: "security-advisories@github.com", type: "Secondary", }, { cvssData: { attackComplexity: "LOW", attackVector: "LOCAL", availabilityImpact: "HIGH", baseScore: 6.5, baseSeverity: "MEDIUM", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "HIGH", scope: "UNCHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H", version: "3.1", }, exploitabilityScore: 0.6, impactScore: 5.9, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2023-10-09T16:15:10.480", references: [ { source: "security-advisories@github.com", tags: [ "Patch", ], url: "https://github.com/OctoPrint/OctoPrint/commit/d0072cff894509c77e243d6562245ad3079e17db", }, { source: "security-advisories@github.com", tags: [ "Release Notes", ], url: "https://github.com/OctoPrint/OctoPrint/releases/tag/1.9.3", }, { source: "security-advisories@github.com", tags: [ "Vendor Advisory", ], url: "https://github.com/OctoPrint/OctoPrint/security/advisories/GHSA-fwfg-vprh-97ph", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Patch", ], url: "https://github.com/OctoPrint/OctoPrint/commit/d0072cff894509c77e243d6562245ad3079e17db", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Release Notes", ], url: "https://github.com/OctoPrint/OctoPrint/releases/tag/1.9.3", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Vendor Advisory", ], url: "https://github.com/OctoPrint/OctoPrint/security/advisories/GHSA-fwfg-vprh-97ph", }, ], sourceIdentifier: "security-advisories@github.com", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-1336", }, ], source: "security-advisories@github.com", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2022-05-18 14:15
Modified
2024-11-21 06:40
Severity ?
Summary
Cross-site Scripting (XSS) - Generic in GitHub repository octoprint/octoprint prior to 1.8.0.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| security@huntr.dev | https://github.com/octoprint/octoprint/commit/6d259d7e6f5b0de9a1c762831537a386e53978d3 | Patch, Third Party Advisory | |
| security@huntr.dev | https://huntr.dev/bounties/cb545c63-a3c1-4d57-8f06-e4593ab389bf | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/octoprint/octoprint/commit/6d259d7e6f5b0de9a1c762831537a386e53978d3 | Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://huntr.dev/bounties/cb545c63-a3c1-4d57-8f06-e4593ab389bf | Exploit, Third Party Advisory |
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:octoprint:octoprint:*:*:*:*:*:*:*:*", matchCriteriaId: "CDF4E52F-D6FD-49EF-A45A-1C9659EF2C14", versionEndExcluding: "1.8.0", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "Cross-site Scripting (XSS) - Generic in GitHub repository octoprint/octoprint prior to 1.8.0.", }, { lang: "es", value: "Una vulnerabilidad de tipo Cross-site Scripting (XSS) - Genérico en el repositorio de GitHub octoprint/octoprint versiones anteriores a 1.8.0", }, ], id: "CVE-2022-1432", lastModified: "2024-11-21T06:40:43.340", metrics: { cvssMetricV2: [ { acInsufInfo: false, baseSeverity: "MEDIUM", cvssData: { accessComplexity: "HIGH", accessVector: "NETWORK", authentication: "SINGLE", availabilityImpact: "PARTIAL", baseScore: 4.6, confidentialityImpact: "PARTIAL", integrityImpact: "PARTIAL", vectorString: "AV:N/AC:H/Au:S/C:P/I:P/A:P", version: "2.0", }, exploitabilityScore: 3.9, impactScore: 6.4, obtainAllPrivilege: false, obtainOtherPrivilege: false, obtainUserPrivilege: false, source: "nvd@nist.gov", type: "Primary", userInteractionRequired: true, }, ], cvssMetricV30: [ { cvssData: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H", version: "3.0", }, exploitabilityScore: 1.6, impactScore: 5.9, source: "security@huntr.dev", type: "Secondary", }, ], cvssMetricV31: [ { cvssData: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 6.4, baseSeverity: "MEDIUM", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "HIGH", scope: "UNCHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H", version: "3.1", }, exploitabilityScore: 0.5, impactScore: 5.9, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2022-05-18T14:15:08.193", references: [ { source: "security@huntr.dev", tags: [ "Patch", "Third Party Advisory", ], url: "https://github.com/octoprint/octoprint/commit/6d259d7e6f5b0de9a1c762831537a386e53978d3", }, { source: "security@huntr.dev", tags: [ "Exploit", "Third Party Advisory", ], url: "https://huntr.dev/bounties/cb545c63-a3c1-4d57-8f06-e4593ab389bf", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Patch", "Third Party Advisory", ], url: "https://github.com/octoprint/octoprint/commit/6d259d7e6f5b0de9a1c762831537a386e53978d3", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Exploit", "Third Party Advisory", ], url: "https://huntr.dev/bounties/cb545c63-a3c1-4d57-8f06-e4593ab389bf", }, ], sourceIdentifier: "security@huntr.dev", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-79", }, ], source: "security@huntr.dev", type: "Secondary", }, { description: [ { lang: "en", value: "CWE-79", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2024-11-05 19:15
Modified
2024-12-18 16:31
Severity ?
5.5 (Medium) - CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L
6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Summary
OctoPrint provides a web interface for controlling consumer 3D printers. OctoPrint versions up until and including 1.10.2 contain reflected XSS vulnerabilities in the login dialog and the standalone application key confirmation dialog. An attacker who successfully talked a victim into clicking on a specially crafted login link, or a malicious app running on a victim's computer triggering the application key workflow with specially crafted parameters and then redirecting the victim to the related standalone confirmation dialog could use this to retrieve or modify sensitive configuration settings, interrupt prints or otherwise interact with the OctoPrint instance in a malicious way. The above mentioned specific vulnerabilities of the login dialog and the standalone application key confirmation dialog have been patched in the bugfix release 1.10.3 by individual escaping of the detected locations. A global change throughout all of OctoPrint's templating system with the upcoming 1.11.0 release will handle this further, switching to globally enforced automatic escaping and thus reducing the attack surface in general. The latter will also improve the security of third party plugins. During a transition period, third party plugins will be able to opt into the automatic escaping. With OctoPrint 1.13.0, automatic escaping will be switched over to be enforced even for third party plugins, unless they explicitly opt-out.
References
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:octoprint:octoprint:*:*:*:*:*:*:*:*", matchCriteriaId: "97EAFBBD-8434-4B24-9D1B-D4556C5D7996", versionEndExcluding: "1.10.3", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "OctoPrint provides a web interface for controlling consumer 3D printers. OctoPrint versions up until and including 1.10.2 contain reflected XSS vulnerabilities in the login dialog and the standalone application key confirmation dialog. An attacker who successfully talked a victim into clicking on a specially crafted login link, or a malicious app running on a victim's computer triggering the application key workflow with specially crafted parameters and then redirecting the victim to the related standalone confirmation dialog could use this to retrieve or modify sensitive configuration settings, interrupt prints or otherwise interact with the OctoPrint instance in a malicious way. The above mentioned specific vulnerabilities of the login dialog and the standalone application key confirmation dialog have been patched in the bugfix release 1.10.3 by individual escaping of the detected locations. A global change throughout all of OctoPrint's templating system with the upcoming 1.11.0 release will handle this further, switching to globally enforced automatic escaping and thus reducing the attack surface in general. The latter will also improve the security of third party plugins. During a transition period, third party plugins will be able to opt into the automatic escaping. With OctoPrint 1.13.0, automatic escaping will be switched over to be enforced even for third party plugins, unless they explicitly opt-out.", }, { lang: "es", value: "OctoPrint proporciona una interfaz web para controlar impresoras 3D de consumo. Las versiones de OctoPrint hasta la 1.10.2 incluida contienen vulnerabilidades XSS reflejadas en el cuadro de diálogo de inicio de sesión y en el cuadro de diálogo de confirmación de clave de aplicación independiente. Un atacante que haya logrado convencer a una víctima para que haga clic en un enlace de inicio de sesión especialmente manipulado, o una aplicación maliciosa que se ejecute en la computadora de una víctima que active el workflow de clave de aplicación con parámetros especialmente manipulados y luego redirija a la víctima al cuadro de diálogo de confirmación independiente relacionado, podría usar esto para recuperar o modificar configuraciones confidenciales, interrumpir impresiones o interactuar de otro modo con la instancia de OctoPrint de forma maliciosa. Las vulnerabilidades específicas mencionadas anteriormente del cuadro de diálogo de inicio de sesión y del cuadro de diálogo de confirmación de clave de aplicación independiente se han corregido en la versión de corrección de errores 1.10.3 mediante el escape individual de las ubicaciones detectadas. Un cambio global en todo el sistema de plantillas de OctoPrint con la próxima versión 1.11.0 se ocupará de esto aún más, cambiando a un escape automático aplicado globalmente y, por lo tanto, reduciendo la superficie de ataque en general. Este último aspecto también mejorará la seguridad de los complementos de terceros. Durante un período de transición, los complementos de terceros podrán optar por el escape automático. Con OctoPrint 1.13.0, el escape automático se implementará incluso para complementos de terceros, a menos que opten por no hacerlo explícitamente.", }, ], id: "CVE-2024-49377", lastModified: "2024-12-18T16:31:26.757", metrics: { cvssMetricV31: [ { cvssData: { attackComplexity: "LOW", attackVector: "ADJACENT_NETWORK", availabilityImpact: "LOW", baseScore: 5.5, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L", version: "3.1", }, exploitabilityScore: 2.1, impactScore: 3.4, source: "security-advisories@github.com", type: "Secondary", }, { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 6.1, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "NONE", scope: "CHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", version: "3.1", }, exploitabilityScore: 2.8, impactScore: 2.7, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2024-11-05T19:15:05.737", references: [ { source: "security-advisories@github.com", tags: [ "Vendor Advisory", ], url: "https://github.com/OctoPrint/OctoPrint/security/advisories/GHSA-xvxq-g8hw-fx4g", }, ], sourceIdentifier: "security-advisories@github.com", vulnStatus: "Analyzed", weaknesses: [ { description: [ { lang: "en", value: "CWE-79", }, { lang: "en", value: "CWE-80", }, ], source: "security-advisories@github.com", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2018-09-07 19:29
Modified
2024-11-21 03:53
Severity ?
Summary
OctoPrint through 1.3.9 allows remote attackers to obtain sensitive information or cause a denial of service via HTTP requests on port 8081. NOTE: the vendor disputes the significance of this report because their documentation states that with "blind port forwarding ... Putting OctoPrint onto the public internet is a terrible idea, and I really can't emphasize that enough.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://github.com/foosel/OctoPrint/issues/2814 | Exploit, Issue Tracking, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/foosel/OctoPrint/issues/2814 | Exploit, Issue Tracking, Third Party Advisory |
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:octoprint:octoprint:*:*:*:*:*:*:*:*", matchCriteriaId: "9ED02529-8762-4501-B994-E4BF6DE0A288", versionEndIncluding: "1.3.9", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [ { sourceIdentifier: "cve@mitre.org", tags: [ "disputed", ], }, ], descriptions: [ { lang: "en", value: "OctoPrint through 1.3.9 allows remote attackers to obtain sensitive information or cause a denial of service via HTTP requests on port 8081. NOTE: the vendor disputes the significance of this report because their documentation states that with \"blind port forwarding ... Putting OctoPrint onto the public internet is a terrible idea, and I really can't emphasize that enough.", }, { lang: "es", value: "** EN DISPUTA ** OctoPrint hasta la versión 1.3.9 permite que atacantes remotos obtengan información sensible o provoquen una denegación de servicio (DoS) mediante peticiones HTTP en el puerto 8081. NOTA: el fabricante discute la relevancia de este informe debido a que su documentación indica que con \"reenvío ciego de puertos... poner OctoPrint en el Internet público es una idea terrible, y no podemos remarcarlo lo suficiente\".", }, ], id: "CVE-2018-16710", lastModified: "2024-11-21T03:53:12.197", metrics: { cvssMetricV2: [ { acInsufInfo: false, baseSeverity: "MEDIUM", cvssData: { accessComplexity: "LOW", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "PARTIAL", baseScore: 6.4, confidentialityImpact: "PARTIAL", integrityImpact: "NONE", vectorString: "AV:N/AC:L/Au:N/C:P/I:N/A:P", version: "2.0", }, exploitabilityScore: 10, impactScore: 4.9, obtainAllPrivilege: false, obtainOtherPrivilege: false, obtainUserPrivilege: false, source: "nvd@nist.gov", type: "Primary", userInteractionRequired: false, }, ], cvssMetricV30: [ { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 9.1, baseSeverity: "CRITICAL", confidentialityImpact: "HIGH", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H", version: "3.0", }, exploitabilityScore: 3.9, impactScore: 5.2, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2018-09-07T19:29:00.537", references: [ { source: "cve@mitre.org", tags: [ "Exploit", "Issue Tracking", "Third Party Advisory", ], url: "https://github.com/foosel/OctoPrint/issues/2814", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Exploit", "Issue Tracking", "Third Party Advisory", ], url: "https://github.com/foosel/OctoPrint/issues/2814", }, ], sourceIdentifier: "cve@mitre.org", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-200", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }