CVE-2024-56509

Name of the Vulnerable Software and Affected Versions changedetection.io versions prior to 0.48.05

Description The issue is related to improper input validation in the application, which can allow attackers to perform local file read (LFR) or path traversal attacks. These attacks occur when user input is used to construct file paths without adequate sanitization or validation. For example, using file:../../../etc/passwd or file: ///etc/passwd can bypass weak validations and allow unauthorized access to sensitive files. The vulnerability is exploited by using specific input, such as file:../../../../etc/passwd or file: ///etc/passwd (with space before /), to bypass insufficient checks in the code.

Recommendations For changedetection.io versions prior to 0.48.05, update to version 0.48.05 to fix the issue. As a temporary workaround, consider restricting the use of the file: protocol in the application to minimize the risk of exploitation. Avoid using the file: protocol with untrusted input until the issue is resolved.