CVE-2022-3607 Injection of special elements into another plane (octoprint/octoprint prior to 1.8.3)

The scope of this issue included all of the code related to handling special elements in the renderer, and in particular the handling of the injected elements. Such as when an image is uploaded, a PDF is generated, a file is shared, or any other type of special element.

Our developer team was not able to find an exact copy of the problematic line of code, so we are not able to provide a code example. What we can do, however, is give a high-level overview of the issues found in the renderer.

We found a lot of issues like this: - Injected elements (such as PDFs, images, etc.) are not handled correctly. - Injected elements are not injected in the correct place. - Injected elements are not marked as safe for injection. - Injected elements are not handled correctly. - Injected elements are not marked as safe for injection. - Injected elements are not handled correctly. - Injected elements are not marked as safe for injection.

Running the code should give you a better understanding of what we found

I'm going to run the code and see what I get:

Running this code should give me a bunch of different things like unhandled exceptions, and undefined values.

I'm getting some unhandled exceptions with the first line of code - which is from where I started in the file, so that's good. I'm also getting undefined values for the variables $node and $elements , both of which are attributes for Element . The last two lines also don't print anything meaningful, because they're just white noise.

Timeline

Published on: 10/19/2022 13:15:00 UTC
Last modified on: 10/20/2022 19:33:00 UTC

References