octoprint@1.8.2 vulnerabilities

OctoPrint is a snappy web interface for your 3D printer

Affected versions of this package are vulnerable to Cross-Site Scripting (XSS) due to the misconfiguration of a webcam snapshot URL which, when tested through the "Test" button in the web interface, will execute JavaScript code in the victim's browser during the attempt to render the snapshot image.

An attacker who successfully convinces a victim with admin rights to perform a snapshot test with a maliciously crafted URL could use this to retrieve or modify sensitive configuration settings, interrupt prints, or otherwise interact with the instance in a malicious manner.

Upgrade OctoPrint to version 1.10.0rc3 or higher.

OctoPrint is a snappy web interface for your 3D printer

Affected versions of this package are vulnerable to Cross-site Request Forgery (CSRF). An admin user could be deceived into visiting a malicious website, which could then install harmful plugins on the OctoPrint server using the admin's login credentials.

Upgrade OctoPrint to version 1.8.3 or higher.

OctoPrint is a snappy web interface for your 3D printer

Affected versions of this package are vulnerable to Unverified Password Change via the access control settings. An attacker can change the password of other admin accounts without having to verify their current password by exploiting this vulnerability. This is only exploitable if the attacker has already hijacked an admin account.

Upgrade OctoPrint to version 1.10.0rc1 or higher.

OctoPrint is a snappy web interface for your 3D printer

Affected versions of this package are vulnerable to Improper Neutralization of Special Elements Used in a Template Engine when the GCODE script is configured maliciously. An attacker can execute arbitrary commands with the rights of the process on the server system and manipulate or extract data by crafting a special script.

Upgrade OctoPrint to version 1.9.3 or higher.

OctoPrint is a snappy web interface for your 3D printer

Affected versions of this package are vulnerable to Special Element Injection by allowing an attacker to steal any file from the OctoPrint remote server via an upload of a maliciously crafted archive as a language pack and by downloading the stolen files within a backup archive.

Upgrade OctoPrint to version 1.8.3 or higher.

OctoPrint is a snappy web interface for your 3D printer

Affected versions of this package are vulnerable to Privilege Escalation which makes it possible for a low privileges user (Read-only Access user) to edit and take an action in plugin management section.

Upgrade OctoPrint to version 1.8.3 or higher.

OctoPrint is a snappy web interface for your 3D printer

Affected versions of this package are vulnerable to Insufficient Session Expiration which allows attackers to steal session cookies and use it to authenticate as long as the victim's account exists.

Upgrade OctoPrint to version 1.8.3 or higher.

OctoPrint is a snappy web interface for your 3D printer

Affected versions of this package are vulnerable to Arbitrary File Upload due to improper file type validation in the move_file and copy_file functions.

Upgrade OctoPrint to version 1.8.3 or higher.

OctoPrint is a snappy web interface for your 3D printer

Affected versions of this package are vulnerable to Unverified Password Change. An attacker that gains access to an active user session, can change the account password without previous knowledge of the current password.

Upgrade OctoPrint to version 1.8.3 or higher.

OctoPrint is a snappy web interface for your 3D printer

Affected versions of this package are vulnerable to Improper Restriction of Excessive Authentication Attempts due to the ability of an attacker to brute force usernames and passwords freely, without any rate limiting.

Upgrade OctoPrint to version 1.8.3 or higher.