Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1wd2djLXc0eDktZ3c2N84AA7vS
changedetection.io Cross-site Scripting vulnerability
Summary
Input in parameter notification_urls is not processed resulting in javascript execution in the application
Details
changedetection.io version: v0.45.21
https://github.com/dgtlmoon/changedetection.io/blob/0.45.21/changedetectionio/forms.py#L226
for server_url in field.data:
if not apobj.add(server_url):
message = field.gettext('\'%s\' is not a valid AppRise URL.' % (server_url))
raise ValidationError(message)
PoC
Setting > ADD Notification URL List
"><img src=x onerror=alert(document.domain)>
Requests
Impact
A reflected XSS vulnerability happens when the user input from a URL or POST data is reflected on the page without being stored, thus allowing the attacker to inject malicious content
Permalink: https://github.com/advisories/GHSA-pwgc-w4x9-gw67JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1wd2djLXc0eDktZ3c2N84AA7vS
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: 7 months ago
Updated: 7 months ago
CVSS Score: 4.3
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
Identifiers: GHSA-pwgc-w4x9-gw67, CVE-2024-34061
References:
- https://github.com/dgtlmoon/changedetection.io/security/advisories/GHSA-pwgc-w4x9-gw67
- https://nvd.nist.gov/vuln/detail/CVE-2024-34061
- https://github.com/dgtlmoon/changedetection.io/commit/c0f000b1d1ce03733460805dbbedde445fe2c762
- https://github.com/dgtlmoon/changedetection.io/blob/0.45.21/changedetectionio/forms.py#L226
- https://github.com/advisories/GHSA-pwgc-w4x9-gw67
Blast Radius: 1.0
Affected Packages
pypi:changedetection.io
Dependent packages: 0Dependent repositories: 0
Downloads: 8,743 last month
Affected Version Ranges: < 0.45.22
Fixed in: 0.45.22
All affected versions: 0.38.2, 0.39.1, 0.39.2, 0.39.3, 0.39.4, 0.39.5, 0.39.6, 0.39.7, 0.39.8, 0.39.9, 0.39.10, 0.39.11, 0.39.12, 0.39.13, 0.39.14, 0.39.15, 0.39.16, 0.39.17, 0.39.18, 0.39.19, 0.39.20, 0.39.21, 0.39.22, 0.40.0, 0.40.2, 0.40.3, 0.41.1, 0.42.1, 0.42.2, 0.42.3, 0.43.1, 0.43.2, 0.44.1, 0.45.1, 0.45.2, 0.45.3, 0.45.4, 0.45.5, 0.45.6, 0.45.7, 0.45.8, 0.45.9, 0.45.11, 0.45.12, 0.45.13, 0.45.14, 0.45.15, 0.45.16, 0.45.17, 0.45.18, 0.45.19, 0.45.20, 0.45.21
All unaffected versions: 0.45.22, 0.45.23, 0.45.24, 0.45.25, 0.45.26, 0.46.0, 0.46.1, 0.46.2, 0.46.3, 0.46.4, 0.47.0, 0.47.1, 0.47.2, 0.47.3, 0.47.4, 0.47.5, 0.47.6