Lucene search

Veracode Vulnerability DatabaseVERACODE:45942

HistoryMar 20, 2024 - 6:28 a.m.

Cross-Site Scripting (XSS)

2024-03-2006:28:39

Veracode Vulnerability Database

sca.analysiscenter.veracode.com

cross-site scripting

octoprint

input validation

sanitization

malicious javascript

web browser

4 Medium

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

LOW

CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:L

6.7 Medium

AI Score

Confidence

High

0.0004 Low

EPSS

Percentile

9.2%

JSON

octoprint is vulnerable to Cross-Site Scripting (XSS). The vulnerability due to improper input validation and sanitization of the webcam snapshot URL input field, which allows for the execution of malicious JavaScript code into the victim’s browser.

CPENameOperatorVersion
octoprintle1.10.0rc2
octoprintle1.10.0rc2

CPE	Name	Operator	Version
	octoprint	le	1.10.0rc2
	octoprint	le	1.10.0rc2

References

github.com/OctoPrint/OctoPrint/commit/779894c1bc6478332d14bc9ed1006df1354eb517

github.com/OctoPrint/OctoPrint/security/advisories/GHSA-x7mf-wrh9-r76c