Ecosyste.ms: Advisories

Security Advisories: GSA_kwCzR0hTQS1wd2djLXc0eDktZ3c2N84AA7vS

changedetection.io Cross-site Scripting vulnerability

Summary

Input in parameter notification_urls is not processed resulting in javascript execution in the application

Details

changedetection.io version: v0.45.21

https://github.com/dgtlmoon/changedetection.io/blob/0.45.21/changedetectionio/forms.py#L226

        for server_url in field.data:
            if not apobj.add(server_url):
                message = field.gettext('\'%s\' is not a valid AppRise URL.' % (server_url))
                raise ValidationError(message)

PoC

Setting > ADD Notification URL List

"><img src=x onerror=alert(document.domain)>

Requests

Impact

A reflected XSS vulnerability happens when the user input from a URL or POST data is reflected on the page without being stored, thus allowing the attacker to inject malicious content

Permalink: https://github.com/advisories/GHSA-pwgc-w4x9-gw67
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1wd2djLXc0eDktZ3c2N84AA7vS
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: 15 days ago
Updated: 15 days ago

CVSS Score: 4.3
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

Identifiers: GHSA-pwgc-w4x9-gw67, CVE-2024-34061
References:

• https://github.com/dgtlmoon/changedetection.io/security/advisories/GHSA-pwgc-w4x9-gw67
• https://nvd.nist.gov/vuln/detail/CVE-2024-34061
• https://github.com/dgtlmoon/changedetection.io/commit/c0f000b1d1ce03733460805dbbedde445fe2c762
• https://github.com/dgtlmoon/changedetection.io/blob/0.45.21/changedetectionio/forms.py#L226
• https://github.com/advisories/GHSA-pwgc-w4x9-gw67

Repository: https://github.com/dgtlmoon/changedetection.io
Blast Radius: 1.0

Affected Packages