Miggo Logo
Miggo Vulnerability Database
CVE-2022-1430

CVE-2022-1430:
Cross-site Scripting in OctoPrint

7.5

CVSS Score
3.0

Basic Information

CVE ID
CVE-2022-1430
GHSA ID
GHSA-x7r7-wmj8-vv5g
EPSS Score
0.5967%
CWE
CWE-79
Published
5/19/2022
Updated
10/8/2024
KEV Status
No
Technology
TechnologyPython

Technical Details

CVSS Vector
CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
OctoPrintpip< 1.8.01.8.0

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stemmed from improper handling of the 'redirect' parameter in the login endpoint. The pre-patch code in views.py's login function used request.args.get("redirect") without validating the URL structure. The commit added validation using urlparse to check for schemes/netlocs, indicating the original function lacked these protections. As the login flow would reflect this parameter in client-side redirects, this created an XSS vector through crafted redirect URLs containing JavaScript payloads.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*ross-sit* S*riptin* (XSS) - *OM in *it*u* r*pository o*toprint/o*toprint prior to *.*.*. T** lo*in *n*point *llows *or j*v*s*ript inj**tion w*i** m*y l*** to ***ount t*k*ov*r in * p*is*in* s**n*rio.

Reasoning

T** vuln*r**ility st*mm** *rom improp*r **n*lin* o* t** 'r**ir**t' p*r*m*t*r in t** lo*in *n*point. T** pr*-p*t** *o** in vi*ws.py's lo*in *un*tion us** r*qu*st.*r*s.**t("r**ir**t") wit*out v*li**tin* t** URL stru*tur*. T** *ommit ***** v*li**tion us