Miggo Logo
Miggo Vulnerability Database
CVE-2021-32561

CVE-2021-32561: OctoPrint API Error Messages vulnerable to XSS

6.1

CVSS Score
3.1

Basic Information

CVE ID
CVE-2021-32561
GHSA ID
GHSA-vcx4-fpmp-mvv6
EPSS Score
0.53429%
CWE
CWE-79
Published
5/24/2022
Updated
10/8/2024
KEV Status
No
Technology
TechnologyPython

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
OctoPrintpip< 1.6.01.6.0

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from API endpoints returning error messages that include unescaped user input parameters. Key evidence includes:

  1. The patch note explicitly states 'Don't return input params in error messages on the API'
  2. The CVE description specifies XSS via parameter values in error messages
  3. The blog post demonstrates XSS via manipulated file paths in /api/files endpoint errors
  4. The vulnerability type (CWE-79) confirms improper input neutralization in web outputs While exact function names aren't provided in available resources, the pattern matches API error handling functions that incorporate user input into error responses without proper sanitization.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

O*toPrint ***or* *.*.* *llows XSS ****us* *PI *rror m*ss***s in*lu** t** v*lu*s o* input p*r*m*t*rs.

Reasoning

T** vuln*r**ility st*ms *rom *PI *n*points r*turnin* *rror m*ss***s t**t in*lu** un*s**p** us*r input p*r*m*t*rs. K*y *vi**n** in*lu**s: *. T** p*t** not* *xpli*itly st*t*s '*on't r*turn input p*r*ms in *rror m*ss***s on t** *PI' *. T** *V* **s*ripti