CVE-2022-1432: Cross-site Scripting (XSS) - Generic in octoprint

Description

The Stream URL of octoprint application allowing xss payload to execute for which its leads to Cross-site Scripting (XSS

Proof of Concept

Login to the application

Now go to settings -> Webcam & Timelapse -> Stream URL and insert the payload "<img src=1 onerror=alert(document.cookie)> in the Stream URL and click on “Test”

You will see that its making a internal GET request

Image POC

https://drive.google.com/drive/folders/1gvRKz8AKOY8XE3O3z4mJdr61heIxGtH7?usp=sharing

Impact

User accounts can be hijacked, credentials could be stolen, sensitive data could be exfiltrated, and lastly, access to your client computers can be obtained.