CVE-2024-28237 in OctoPrint
Summary
by MITRE • 03/19/2024
OctoPrint provides a web interface for controlling consumer 3D printers. OctoPrint versions up until and including 1.9.3 contain a vulnerability that allows malicious admins to configure or talk a victim with administrator rights into configuring a webcam snapshot URL which when tested through the "Test" button included in the web interface will execute JavaScript code in the victims browser when attempting to render the snapshot image. An attacker who successfully talked a victim with admin rights into performing a snapshot test with such a crafted URL could use this to retrieve or modify sensitive configuration settings, interrupt prints or otherwise interact with the OctoPrint instance in a malicious way. The vulnerability is patched in version 1.10.0rc3. OctoPrint administrators are strongly advised to thoroughly vet who has admin access to their installation and what settings they modify based on instructions by strangers.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 04/14/2025
The vulnerability described in CVE-2024-28237 represents a critical cross-site scripting flaw within OctoPrint's web interface that affects versions 1.9.3 and earlier. This issue stems from insufficient input validation when processing webcam snapshot URLs, creating an environment where malicious actors can exploit the testing functionality to execute arbitrary JavaScript code within the victim's browser context. The vulnerability specifically targets the "Test" button functionality that allows administrators to verify webcam configurations, making it particularly dangerous as it leverages legitimate administrative workflows to deliver malicious payloads.
The technical exploitation of this vulnerability occurs through a sophisticated social engineering attack vector where an attacker convinces a victim with administrator privileges to test a maliciously crafted webcam snapshot URL. When the victim clicks the test button, the browser attempts to render the snapshot image, executing the embedded JavaScript code within the context of the victim's authenticated session. This creates a persistent threat where attackers can leverage the victim's administrative privileges to perform unauthorized actions against the OctoPrint instance. The vulnerability maps directly to CWE-79 Cross-Site Scripting and aligns with ATT&CK technique T1059.007 for command and scripting interpreter, specifically targeting the execution of malicious code through browser-based interfaces.
The operational impact of this vulnerability extends beyond simple code execution, as it enables attackers to access sensitive configuration settings, manipulate ongoing print jobs, and potentially gain complete control over the 3D printing environment. Administrators who have not properly vetted user access or validated configuration changes based on external instructions become primary targets for exploitation. The attack requires minimal technical sophistication from the attacker, relying primarily on social engineering to manipulate victims into performing the malicious test action, making it particularly dangerous in environments where trust relationships are not properly enforced. This vulnerability fundamentally undermines the security model of OctoPrint's administrative interface by allowing privilege escalation through browser-based code execution.
The remediation strategy involves upgrading to OctoPrint version 1.10.0rc3 or later, which implements proper input validation and sanitization for webcam snapshot URLs. Security administrators should also implement comprehensive access controls, regularly audit administrative permissions, and establish strict protocols for validating configuration changes. Organizations should consider implementing additional security measures such as content security policies to prevent unauthorized script execution, and establish clear guidelines for users regarding suspicious configuration requests. The vulnerability demonstrates the critical importance of validating all user-supplied input in web applications and the potential consequences when such validation is insufficient, particularly in environments where administrative access can be leveraged to compromise entire systems through browser-based attacks.