Skip to content

XSS reflected (Post Base) in /settings

Moderate
dgtlmoon published GHSA-pwgc-w4x9-gw67 May 2, 2024

Package

pip changedetection.io (pip)

Affected versions

<=v0.45.21

Patched versions

v0.45.22

Description

Summary

Input in parameter notification_urls is not processed resulting in javascript execution in the application

Details

changedetection.io version: v0.45.21

https://github.com/dgtlmoon/changedetection.io/blob/0.45.21/changedetectionio/forms.py#L226

        for server_url in field.data:
            if not apobj.add(server_url):
                message = field.gettext('\'%s\' is not a valid AppRise URL.' % (server_url))
                raise ValidationError(message)

PoC

Setting > ADD Notification URL List

image

"><img src=x onerror=alert(document.domain)>

image

Requests

image

Impact

A reflected XSS vulnerability happens when the user input from a URL or POST data is reflected on the page without being stored, thus allowing the attacker to inject malicious content

Severity

Moderate
4.3
/ 10

CVSS base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
None
User interaction
Required
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

CVE ID

CVE-2024-34061

Weaknesses

Credits