Octoprint: Security Vulnerabilities
Improper Privilege Management in GitHub repository octoprint/octoprint prior to 1.8.3.
CVSS Score
5.3
EPSS Score
0.001
Published
2022-09-21
If an attacker comes into the possession of a victim's OctoPrint session cookie through whatever means, the attacker can use this cookie to authenticate as long as the victim's account exists.
CVSS Score
4.4
EPSS Score
0.0
Published
2022-09-21
Unrestricted Upload of File with Dangerous Type in GitHub repository octoprint/octoprint prior to 1.8.3.
CVSS Score
3.7
EPSS Score
0.001
Published
2022-09-21
Unverified Password Change in GitHub repository octoprint/octoprint prior to 1.8.3.
CVSS Score
5.3
EPSS Score
0.001
Published
2022-08-22
An attacker can freely brute force username and password and can takeover any account. An attacker could easily guess user passwords and gain access to user and administrative accounts.
CVSS Score
3.7
EPSS Score
0.003
Published
2022-08-15
Cross-site Scripting (XSS) - DOM in GitHub repository octoprint/octoprint prior to 1.8.0.
CVSS Score
7.5
EPSS Score
0.004
Published
2022-05-18
Cross-site Scripting (XSS) - Generic in GitHub repository octoprint/octoprint prior to 1.8.0.
CVSS Score
7.5
EPSS Score
0.004
Published
2022-05-18
The Logging subsystem in OctoPrint before 1.6.0 has incorrect access control because it attempts to manage files that are not *.log files.
CVSS Score
6.5
EPSS Score
0.004
Published
2021-05-11
OctoPrint before 1.6.0 allows XSS because API error messages include the values of input parameters.
CVSS Score
6.1
EPSS Score
0.003
Published
2021-05-11
OctoPrint through 1.3.9 allows remote attackers to obtain sensitive information or cause a denial of service via HTTP requests on port 8081. NOTE: the vendor disputes the significance of this report because their documentation states that with "blind port forwarding ... Putting OctoPrint onto the public internet is a terrible idea, and I really can't emphasize that enough.
CVSS Score
9.1
EPSS Score
0.007
Published
2018-09-07