Headline
GHSA-pwgc-w4x9-gw67: changedetection.io Cross-site Scripting vulnerability
Summary
Input in parameter notification_urls is not processed resulting in javascript execution in the application
Details
changedetection.io version: v0.45.21
https://github.com/dgtlmoon/changedetection.io/blob/0.45.21/changedetectionio/forms.py#L226
for server_url in field.data:
if not apobj.add(server_url):
message = field.gettext('\'%s\' is not a valid AppRise URL.' % (server_url))
raise ValidationError(message)
PoC
Setting > ADD Notification URL List
"><img src=x onerror=alert(document.domain)>
Requests
Impact
A reflected XSS vulnerability happens when the user input from a URL or POST data is reflected on the page without being stored, thus allowing the attacker to inject malicious content
Package
pip changedetection.io (pip)
Affected versions
< 0.45.22
Patched versions
0.45.22
Description
Summary
Input in parameter notification_urls is not processed resulting in javascript execution in the application
Details
changedetection.io version: v0.45.21
https://github.com/dgtlmoon/changedetection.io/blob/0.45.21/changedetectionio/forms.py#L226
for server_url in field.data:
if not apobj.add(server_url):
message = field.gettext('\'%s\' is not a valid AppRise URL.' % (server_url))
raise ValidationError(message)
PoC
Setting > ADD Notification URL List
"><img src=x onerror=alert(document.domain)>
Requests
Impact
A reflected XSS vulnerability happens when the user input from a URL or POST data is reflected on the page without being stored, thus allowing the attacker to inject malicious content
References
- GHSA-pwgc-w4x9-gw67
- https://nvd.nist.gov/vuln/detail/CVE-2024-34061
- dgtlmoon/changedetection.io@c0f000b
- https://github.com/dgtlmoon/changedetection.io/blob/0.45.21/changedetectionio/forms.py#L226
dgtlmoon published to dgtlmoon/changedetection.io
May 2, 2024
Published by the National Vulnerability Database
May 2, 2024
Published to the GitHub Advisory Database
May 3, 2024
Reviewed
May 3, 2024
Last updated
May 3, 2024