CVE-2024-28237
Vulnerability from cvelistv5
Published
2024-03-18 21:17
Modified
2024-08-02 15:20
Severity ?
4.0 (Medium) - CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:L
EPSS score ?
0.06% (0.2037)
Summary
OctoPrint provides a web interface for controlling consumer 3D printers. OctoPrint versions up until and including 1.9.3 contain a vulnerability that allows malicious admins to configure or talk a victim with administrator rights into configuring a webcam snapshot URL which when tested through the "Test" button included in the web interface will execute JavaScript code in the victims browser when attempting to render the snapshot image. An attacker who successfully talked a victim with admin rights into performing a snapshot test with such a crafted URL could use this to retrieve or modify sensitive configuration settings, interrupt prints or otherwise interact with the OctoPrint instance in a malicious way. The vulnerability is patched in version 1.10.0rc3. OctoPrint administrators are strongly advised to thoroughly vet who has admin access to their installation and what settings they modify based on instructions by strangers.
References
security-advisories@github.comhttps://github.com/OctoPrint/OctoPrint/commit/779894c1bc6478332d14bc9ed1006df1354eb517Patch
security-advisories@github.comhttps://github.com/OctoPrint/OctoPrint/security/advisories/GHSA-x7mf-wrh9-r76cExploit, Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108https://github.com/OctoPrint/OctoPrint/commit/779894c1bc6478332d14bc9ed1006df1354eb517Patch
af854a3a-2127-422b-91ae-364da2661108https://github.com/OctoPrint/OctoPrint/security/advisories/GHSA-x7mf-wrh9-r76cExploit, Vendor Advisory
Impacted products
Vendor Product Version
OctoPrint OctoPrint Version: <= 1.9.3
 Create a notification for this product.
Show details on NVD website

To clipboard 

{
   containers: {
      adp: [
         {
            providerMetadata: {
               dateUpdated: "2024-08-02T00:48:49.469Z",
               orgId: "af854a3a-2127-422b-91ae-364da2661108",
               shortName: "CVE",
            },
            references: [
               {
                  name: "https://github.com/OctoPrint/OctoPrint/security/advisories/GHSA-x7mf-wrh9-r76c",
                  tags: [
                     "x_refsource_CONFIRM",
                     "x_transferred",
                  ],
                  url: "https://github.com/OctoPrint/OctoPrint/security/advisories/GHSA-x7mf-wrh9-r76c",
               },
               {
                  name: "https://github.com/OctoPrint/OctoPrint/commit/779894c1bc6478332d14bc9ed1006df1354eb517",
                  tags: [
                     "x_refsource_MISC",
                     "x_transferred",
                  ],
                  url: "https://github.com/OctoPrint/OctoPrint/commit/779894c1bc6478332d14bc9ed1006df1354eb517",
               },
            ],
            title: "CVE Program Container",
         },
         {
            affected: [
               {
                  cpes: [
                     "cpe:2.3:a:octoprint:octoprint:*:*:*:*:*:*:*:*",
                  ],
                  defaultStatus: "unknown",
                  product: "octoprint",
                  vendor: "octoprint",
                  versions: [
                     {
                        lessThanOrEqual: "1.9.3",
                        status: "affected",
                        version: "0",
                        versionType: "custom",
                     },
                  ],
               },
            ],
            metrics: [
               {
                  other: {
                     content: {
                        id: "CVE-2024-28237",
                        options: [
                           {
                              Exploitation: "poc",
                           },
                           {
                              Automatable: "no",
                           },
                           {
                              "Technical Impact": "partial",
                           },
                        ],
                        role: "CISA Coordinator",
                        timestamp: "2024-08-02T15:19:13.496816Z",
                        version: "2.0.3",
                     },
                     type: "ssvc",
                  },
               },
            ],
            providerMetadata: {
               dateUpdated: "2024-08-02T15:20:14.054Z",
               orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0",
               shortName: "CISA-ADP",
            },
            title: "CISA ADP Vulnrichment",
         },
      ],
      cna: {
         affected: [
            {
               product: "OctoPrint",
               vendor: "OctoPrint",
               versions: [
                  {
                     status: "affected",
                     version: "<= 1.9.3",
                  },
               ],
            },
         ],
         descriptions: [
            {
               lang: "en",
               value: "OctoPrint provides a web interface for controlling consumer 3D printers. OctoPrint versions up until and including 1.9.3 contain a vulnerability that allows malicious admins to configure or talk a victim with administrator rights into configuring a webcam snapshot URL which when tested through the \"Test\" button included in the web interface will execute JavaScript code in the victims browser when attempting to render the snapshot image. An attacker who successfully talked a victim with admin rights into performing a snapshot test with such a crafted URL could use this to retrieve or modify sensitive configuration settings, interrupt prints or otherwise interact with the OctoPrint instance in a malicious way. The vulnerability is patched in version 1.10.0rc3. OctoPrint administrators are strongly advised to thoroughly vet who has admin access to their installation and what settings they modify based on instructions by strangers.",
            },
         ],
         metrics: [
            {
               cvssV3_1: {
                  attackComplexity: "LOW",
                  attackVector: "LOCAL",
                  availabilityImpact: "LOW",
                  baseScore: 4,
                  baseSeverity: "MEDIUM",
                  confidentialityImpact: "LOW",
                  integrityImpact: "LOW",
                  privilegesRequired: "HIGH",
                  scope: "UNCHANGED",
                  userInteraction: "REQUIRED",
                  vectorString: "CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:L",
                  version: "3.1",
               },
            },
         ],
         problemTypes: [
            {
               descriptions: [
                  {
                     cweId: "CWE-79",
                     description: "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')",
                     lang: "en",
                     type: "CWE",
                  },
               ],
            },
         ],
         providerMetadata: {
            dateUpdated: "2024-03-18T21:17:08.139Z",
            orgId: "a0819718-46f1-4df5-94e2-005712e83aaa",
            shortName: "GitHub_M",
         },
         references: [
            {
               name: "https://github.com/OctoPrint/OctoPrint/security/advisories/GHSA-x7mf-wrh9-r76c",
               tags: [
                  "x_refsource_CONFIRM",
               ],
               url: "https://github.com/OctoPrint/OctoPrint/security/advisories/GHSA-x7mf-wrh9-r76c",
            },
            {
               name: "https://github.com/OctoPrint/OctoPrint/commit/779894c1bc6478332d14bc9ed1006df1354eb517",
               tags: [
                  "x_refsource_MISC",
               ],
               url: "https://github.com/OctoPrint/OctoPrint/commit/779894c1bc6478332d14bc9ed1006df1354eb517",
            },
         ],
         source: {
            advisory: "GHSA-x7mf-wrh9-r76c",
            discovery: "UNKNOWN",
         },
         title: "OctoPrint XSS via the \"Snapshot Test\" feature in Classic Webcam plugin settings",
      },
   },
   cveMetadata: {
      assignerOrgId: "a0819718-46f1-4df5-94e2-005712e83aaa",
      assignerShortName: "GitHub_M",
      cveId: "CVE-2024-28237",
      datePublished: "2024-03-18T21:17:08.139Z",
      dateReserved: "2024-03-07T14:33:30.035Z",
      dateUpdated: "2024-08-02T15:20:14.054Z",
      state: "PUBLISHED",
   },
   dataType: "CVE_RECORD",
   dataVersion: "5.1",
   "vulnerability-lookup:meta": {
      nvd: "{\"cve\":{\"id\":\"CVE-2024-28237\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2024-03-18T22:15:07.980\",\"lastModified\":\"2025-01-08T16:22:58.707\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"OctoPrint provides a web interface for controlling consumer 3D printers. OctoPrint versions up until and including 1.9.3 contain a vulnerability that allows malicious admins to configure or talk a victim with administrator rights into configuring a webcam snapshot URL which when tested through the \\\"Test\\\" button included in the web interface will execute JavaScript code in the victims browser when attempting to render the snapshot image. An attacker who successfully talked a victim with admin rights into performing a snapshot test with such a crafted URL could use this to retrieve or modify sensitive configuration settings, interrupt prints or otherwise interact with the OctoPrint instance in a malicious way. The vulnerability is patched in version 1.10.0rc3. OctoPrint administrators are strongly advised to thoroughly vet who has admin access to their installation and what settings they modify based on instructions by strangers.\"},{\"lang\":\"es\",\"value\":\"OctoPrint proporciona una interfaz web para controlar impresoras 3D de consumo. Las versiones de OctoPrint hasta la 1.9.3 incluida contienen una vulnerabilidad que permite a administradores maliciosos configurar o convencer a una víctima con derechos de administrador para que configure una URL de instantánea de cámara web que, cuando se prueba a través del botón \\\"Probar\\\" incluido en la interfaz web, ejecutará código JavaScript en el navegador de la víctima al intentar renderizar la imagen instantánea. Un atacante que consiguiera convencer a una víctima con derechos de administrador para que realizara una prueba instantánea con una URL tan manipulada podría utilizarla para recuperar o modificar ajustes de configuración confidenciales, interrumpir impresiones o interactuar de otro modo con la instancia de OctoPrint de forma maliciosa. La vulnerabilidad está parcheada en la versión 1.10.0rc3. Se recomienda encarecidamente a los administradores de OctoPrint que investiguen minuciosamente quién tiene acceso de administrador a su instalación y qué configuraciones modifican según instrucciones de extraños.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:L\",\"baseScore\":4.0,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"HIGH\",\"userInteraction\":\"REQUIRED\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"LOW\"},\"exploitabilityScore\":0.6,\"impactScore\":3.4},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N\",\"baseScore\":4.8,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"HIGH\",\"userInteraction\":\"REQUIRED\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":1.7,\"impactScore\":2.7}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-79\"}]},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-79\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:octoprint:octoprint:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"1.10.0\",\"matchCriteriaId\":\"1C2ECD74-6DA3-4D55-83C8-6C31AF51E6E4\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:octoprint:octoprint:1.10.0:rc1:*:*:*:*:*:*\",\"matchCriteriaId\":\"9C46DEBF-5275-42D9-9007-AEAC0EB9A2ED\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:octoprint:octoprint:1.10.0:rc2:*:*:*:*:*:*\",\"matchCriteriaId\":\"5DF9ABC6-4D04-433B-803F-C3E537115D74\"}]}]}],\"references\":[{\"url\":\"https://github.com/OctoPrint/OctoPrint/commit/779894c1bc6478332d14bc9ed1006df1354eb517\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/OctoPrint/OctoPrint/security/advisories/GHSA-x7mf-wrh9-r76c\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Exploit\",\"Vendor Advisory\"]},{\"url\":\"https://github.com/OctoPrint/OctoPrint/commit/779894c1bc6478332d14bc9ed1006df1354eb517\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/OctoPrint/OctoPrint/security/advisories/GHSA-x7mf-wrh9-r76c\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Exploit\",\"Vendor Advisory\"]}]}}",
      vulnrichment: {
         containers: "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"https://github.com/OctoPrint/OctoPrint/security/advisories/GHSA-x7mf-wrh9-r76c\", \"name\": \"https://github.com/OctoPrint/OctoPrint/security/advisories/GHSA-x7mf-wrh9-r76c\", \"tags\": [\"x_refsource_CONFIRM\", \"x_transferred\"]}, {\"url\": \"https://github.com/OctoPrint/OctoPrint/commit/779894c1bc6478332d14bc9ed1006df1354eb517\", \"name\": \"https://github.com/OctoPrint/OctoPrint/commit/779894c1bc6478332d14bc9ed1006df1354eb517\", \"tags\": [\"x_refsource_MISC\", \"x_transferred\"]}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2024-08-02T00:48:49.469Z\"}}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2024-28237\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2024-08-02T15:19:13.496816Z\"}}}], \"affected\": [{\"cpes\": [\"cpe:2.3:a:octoprint:octoprint:*:*:*:*:*:*:*:*\"], \"vendor\": \"octoprint\", \"product\": \"octoprint\", \"versions\": [{\"status\": \"affected\", \"version\": \"0\", \"versionType\": \"custom\", \"lessThanOrEqual\": \"1.9.3\"}], \"defaultStatus\": \"unknown\"}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2024-08-02T15:20:05.956Z\"}}], \"cna\": {\"title\": \"OctoPrint XSS via the \\\"Snapshot Test\\\" feature in Classic Webcam plugin settings\", \"source\": {\"advisory\": \"GHSA-x7mf-wrh9-r76c\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 4, \"attackVector\": \"LOCAL\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:L\", \"integrityImpact\": \"LOW\", \"userInteraction\": \"REQUIRED\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"LOW\", \"privilegesRequired\": \"HIGH\", \"confidentialityImpact\": \"LOW\"}}], \"affected\": [{\"vendor\": \"OctoPrint\", \"product\": \"OctoPrint\", \"versions\": [{\"status\": \"affected\", \"version\": \"<= 1.9.3\"}]}], \"references\": [{\"url\": \"https://github.com/OctoPrint/OctoPrint/security/advisories/GHSA-x7mf-wrh9-r76c\", \"name\": \"https://github.com/OctoPrint/OctoPrint/security/advisories/GHSA-x7mf-wrh9-r76c\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/OctoPrint/OctoPrint/commit/779894c1bc6478332d14bc9ed1006df1354eb517\", \"name\": \"https://github.com/OctoPrint/OctoPrint/commit/779894c1bc6478332d14bc9ed1006df1354eb517\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"OctoPrint provides a web interface for controlling consumer 3D printers. OctoPrint versions up until and including 1.9.3 contain a vulnerability that allows malicious admins to configure or talk a victim with administrator rights into configuring a webcam snapshot URL which when tested through the \\\"Test\\\" button included in the web interface will execute JavaScript code in the victims browser when attempting to render the snapshot image. An attacker who successfully talked a victim with admin rights into performing a snapshot test with such a crafted URL could use this to retrieve or modify sensitive configuration settings, interrupt prints or otherwise interact with the OctoPrint instance in a malicious way. The vulnerability is patched in version 1.10.0rc3. OctoPrint administrators are strongly advised to thoroughly vet who has admin access to their installation and what settings they modify based on instructions by strangers.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-79\", \"description\": \"CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2024-03-18T21:17:08.139Z\"}}}",
         cveMetadata: "{\"cveId\": \"CVE-2024-28237\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2024-08-02T15:20:14.054Z\", \"dateReserved\": \"2024-03-07T14:33:30.035Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2024-03-18T21:17:08.139Z\", \"assignerShortName\": \"GitHub_M\"}",
         dataType: "CVE_RECORD",
         dataVersion: "5.1",
      },
   },
}


Log in or create an account to share your comment.

Security Advisory comment format.

This schema specifies the format of a comment related to a security advisory.

UUIDv4 of the comment
UUIDv4 of the Vulnerability-Lookup instance
When the comment was created originally
When the comment was last updated
Title of the comment
Description of the comment
The identifier of the vulnerability (CVE ID, GHSA-ID, PYSEC ID, etc.).



Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.