python · OctoPrintHeads-up
OctoPrint HTML/JS Injection in Suppressed Command Popups
OctoPrint versions up to 1.11.7, 2.0.0rc1, and 2.0.0rc2 allow arbitrary HTML and JavaScript injection into Suppressed Command notification popups. Fixed in 1.11
What changed
OctoPrint versions up to 1.11.7, 2.0.0rc1, and 2.0.0rc2 allow arbitrary HTML and JavaScript injection into Suppressed Command notification popups. Fixed in 1.11.8 and 2.0.0rc3.
Who it affects
Users on affected versions who print files from untrusted sources.
What to do today
Update to OctoPrint 1.11.8 or 2.0.0rc3, or disable popups for suppressed commands in settings.
The trail
Collected→
Audited→
Written→
Published