CVE-2024-28237: XSS via the "Snapshot Test" feature in Classic Webcam plugin settings
(updated )
OctoPrint versions up until and including 1.9.3 contain a vulnerability that allows malicious admins to configure or talk a victim with administrator rights into configuring a webcam snapshot URL which when tested through the “Test” button included in the web interface will execute JavaScript code in the victims browser when attempting to render the snapshot image.
An attacker who successfully talked a victim with admin rights into performing a snapshot test with such a crafted URL could use this to retrieve or modify sensitive configuration settings, interrupt prints or otherwise interact with the OctoPrint instance in a malicious way.
References
- github.com/OctoPrint/OctoPrint
- github.com/OctoPrint/OctoPrint/commit/779894c1bc6478332d14bc9ed1006df1354eb517
- github.com/OctoPrint/OctoPrint/security/advisories/GHSA-x7mf-wrh9-r76c
- github.com/advisories/GHSA-x7mf-wrh9-r76c
- github.com/pypa/advisory-database/tree/main/vulns/octoprint/PYSEC-2024-179.yaml
- nvd.nist.gov/vuln/detail/CVE-2024-28237
Code Behaviors & Features
Detect and mitigate CVE-2024-28237 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →