Changedetection
CVE-2024-23329
LOW
Severity by source
AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
Lifecycle Timeline
1DescriptionNVD
changedetection.io is an open source tool designed to monitor websites for content changes. In affected versions the API endpoint /api/v1/watch/<uuid>/history can be accessed by any unauthorized user. As a result any unauthorized user can check one's watch history. However, because unauthorized party first needs to know a watch UUID, and the watch history endpoint itself returns only paths to the snapshot on the server, an impact on users' data privacy is minimal. This issue has been addressed in version 0.45.13. Users are advised to upgrade. There are no known workarounds for this vulnerability.
AnalysisAI
changedetection.io is an open source tool designed to monitor websites for content changes. Rated low severity (CVSS 3.7), this vulnerability is remotely exploitable, no authentication required. Public exploit code available.
Technical ContextAI
This vulnerability is classified as Incorrect Authorization (CWE-863), which allows attackers to bypass authorization checks to access restricted resources. changedetection.io is an open source tool designed to monitor websites for content changes. In affected versions the API endpoint /api/v1/watch/<uuid>/history can be accessed by any unauthorized user. As a result any unauthorized user can check one's watch history. However, because unauthorized party first needs to know a watch UUID, and the watch history endpoint itself returns only paths to the snapshot on the server, an impact on users' data privacy is minimal. This issue has been addressed in version 0.45.13. Users are advised to upgrade. There are no known workarounds for this vulnerability. Affected products include: Webtechnologies Changedetection. Version information: version 0.45.13..
RemediationAI
A vendor patch is available. Apply the latest security update as soon as possible. Review and test authorization logic, implement consistent access control checks, use centralized authorization framework.
More in Changedetection
View allZip Slip in changedetection.io before 0.54.4 via backup restore. PoC and patch available.
changedetection.io is a free open source web page change detection tool. [CVSS 8.6 HIGH]
Arbitrary file read in changedetection.io prior to 0.54.4 allows unauthenticated remote attackers to access sensitive fi
Reflected XSS in changedetection.io versions prior to 0.54.4 allows unauthenticated remote attackers to inject malicious
changedetection.io versions before 0.54.1 are vulnerable to reflected cross-site scripting (XSS) via the RSS endpoint, w
Changedetection.io before v0.40.1.1 was discovered to contain a stored cross-site scripting (XSS) vulnerability in the m
Changedetection.io versions before 0.53.2 allow unauthenticated attackers to read arbitrary files from the application d
changedetection.io is a free open source web page change detection tool. Rated low severity (CVSS 3.5), this vulnerabili
Same weakness CWE-863 – Incorrect Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today