Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2023-24769: [Security] Stored XSS in main page · Issue #1358 · dgtlmoon/changedetection.io

Changedetection.io before v0.40.1.1 was discovered to contain a stored cross-site scripting (XSS) vulnerability in the main page. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the URL parameter under the “Add a new change detection watch” function.

CVE
Open in Source
#xss#vulnerability#web#linux#java#chrome

Describe the bug
It’s possible to inject arbitrary Javascript code in the main page of changedetection.io. This can result in a stored cross site scripting attack. Since in /settings#api it’s exposed the plaintext API Key, the attacker can read also the api key with an XSS attack.

Version
I’m using v0.39.20.4, but I’m sure other version could be affected as well.

To Reproduce

Steps to reproduce the behavior:

  1. Go to the main page.
  2. Under Add a new change detection watch add as URL javascript:alert(document.domain)
  3. Click Watch
  4. A new row is added under the websites watched
  5. Click CTRL+ click with mouse on the link taking to a new tab
  6. Javascript payload is being executed.

Reproduce the vulnerability with https://changedetection.io/share/LpbICKx5Rbca

Expected behavior
javascript protocol should be blocked like file:// for security reasons.

Screenshots

Desktop (please complete the following information):

  • OS: Linux edoardottt 5.19.0-29-generic
  • Browser: Chrome Version 109.0.5414.119 (Official Build) (64-bit)
  • Changedetetion.io Version: v0.39.20.4

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE
CVE-2023-6905
CVE
CVE-2023-6903
CVE
CVE-2023-6904
CVE
CVE-2023-3907
CVE