Chasebowman-Contrast

**Name of the Vulnerable Software and Affected Versions** changedetection.io versions prior to 0.47.5 **Description** The issue allows retrieval of local system files when a WebDriver is used to fetch files, by utilizing `source:file:///etc/passwd`, which bypasses the block on traditional `file:///etc/passwd` requests. This is due to the payload passing certain regex and checks within the software. The impact of this issue depends on the deployment location of the webdriver but is generally considered high. **Recommendations** For versions prior to 0.47.5, update to version 0.47.5 to resolve the issue. As a temporary workaround, consider restricting the use of the WebDriver to fetch files until the update is applied.

**Name of the Vulnerable Software and Affected Versions** Gladys Assistant versions prior to 4.45.1 **Description** The issue allows a user to change their own role, resulting in privilege escalation. This is possible because the `req.body.role` can be used in the `updateMySelf` function in `server/api/controllers/user.controller.js`. **Recommendations** For versions prior to 4.45.1, update to version 4.45.1 or later to resolve the issue. As a temporary workaround, consider restricting access to the `updateMySelf` function in `server/api/controllers/user.controller.js` to prevent exploitation. Additionally, avoid using the `req.body.role` variable in the affected API endpoint until the issue is resolved.