CVE-2024-49377
CVSS 3.1 Score 5.5 of 10 (medium)
Details
Summary
CVE-2024-49377 affects OctoPrint, a web interface used to control consumer 3D printers. Versions up to and including 1.10.2 contain reflected XSS vulnerabilities in the login dialog and standalone application key confirmation dialog. An attacker could exploit these vulnerabilities by convincing a victim to click on a malicious link or triggering the application key workflow with crafted parameters, potentially gaining access to sensitive configuration settings or interrupting prints. OctoPrint has released a bugfix in version 1.10.3 to individually escape the affected locations. The upcoming 1.11.0 release will switch to global automatic escaping, reducing the attack surface and improving third-party plugin security. During a transition period, third-party plugins will have the option to opt-in to automatic escaping. From version 1.13.0 onwards, automatic escaping will be enforced for all plugins unless they explicitly opt-out.
Prevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.
Affected Products
- OctoPrint