PT-2024-25673 · Unknown · Changedetection.Io
Nguyen-Trung-Kien
·
Published
2024-05-02
·
Updated
2024-05-03
·
CVE-2024-34061
CVSS v3.1
4.3
Medium
| Vector | AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N |
Name of the Vulnerable Software and Affected Versions
changedetection.io versions prior to 0.45.22
Description
The issue is related to a reflected XSS vulnerability. In affected versions, input in the
notification urls parameter is not properly processed, resulting in JavaScript execution in the application. This allows an attacker to inject malicious content when user input from a URL or POST data is reflected on the page without being stored.Recommendations
For versions prior to 0.45.22, upgrade to version 0.45.22 or later to resolve the issue. As a temporary workaround, consider restricting access to the
notification urls parameter to minimize the risk of exploitation. Avoid using the notification urls parameter in the affected API endpoint until the issue is resolved.Exploit
Fix
XSS
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Changedetection.Io