CVE-2024-49377: OctoPrint Vulnerable to Reflected XSS in Jinja2 Templates

November 5, 2024

OctoPrint versions up until and including 1.10.2 are vulnerable to reflected XSS vulnerabilities through its Jinja2 template system, as this is not configured to enforce automatic escaping. This affects, among other places, the login dialog and the standalone application key confirmation dialog.

An attacker who successfully talked a victim into clicking on or through a malicious third party app successfully redirected a victim to a specially crafted link could use this to retrieve or modify sensitive configuration settings, interrupt prints or otherwise interact with the OctoPrint instance in a malicious way.

References

github.com/OctoPrint/OctoPrint
github.com/OctoPrint/OctoPrint/commit/b8a6b0a75202edac3bb142a8e4f9041a0b6825bf
github.com/OctoPrint/OctoPrint/security/advisories/GHSA-xvxq-g8hw-fx4g
github.com/advisories/GHSA-xvxq-g8hw-fx4g
nvd.nist.gov/vuln/detail/CVE-2024-49377

Detect and mitigate CVE-2024-49377 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →