Changedetection
Monthly
Zip Slip in changedetection.io before 0.54.4 via backup restore. PoC and patch available.
Arbitrary file read in changedetection.io prior to 0.54.4 allows unauthenticated remote attackers to access sensitive files by injecting malicious XPath expressions into content filters, exploiting the unparsed-text() function in the elementpath library. The application fails to validate or sanitize XPath input, enabling attackers to read any file accessible to the application process. Public exploit code exists for this vulnerability.
Reflected XSS in changedetection.io versions prior to 0.54.4 allows unauthenticated remote attackers to inject malicious JavaScript through the /rss/tag/ endpoint via an unescaped tag_uuid parameter, enabling session hijacking or credential theft when victims visit crafted links. The vulnerability requires user interaction to trigger and affects the Flask-based application with public exploit code available. Users should upgrade to version 0.54.4 or later immediately.
changedetection.io is a free open source web page change detection tool. [CVSS 8.6 HIGH]
changedetection.io versions before 0.54.1 are vulnerable to reflected cross-site scripting (XSS) via the RSS endpoint, where user-supplied UUID parameters are rendered without HTML encoding in text/html responses, allowing attackers to execute arbitrary JavaScript in users' browsers. Public exploit code exists for this vulnerability. The issue affects Flask-based deployments and is resolved in version 0.54.1.
Changedetection.io versions before 0.53.2 allow unauthenticated attackers to read arbitrary files from the application directory through directory traversal in the static file serving endpoint. An attacker can exploit this by manipulating the group parameter to escape the intended static directory and access sensitive application files like source code. Public exploit code exists for this vulnerability, which has been patched in version 0.53.2.
changedetection.io is a free open source web page change detection tool. Rated low severity (CVSS 3.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
Zip Slip in changedetection.io before 0.54.4 via backup restore. PoC and patch available.
Arbitrary file read in changedetection.io prior to 0.54.4 allows unauthenticated remote attackers to access sensitive files by injecting malicious XPath expressions into content filters, exploiting the unparsed-text() function in the elementpath library. The application fails to validate or sanitize XPath input, enabling attackers to read any file accessible to the application process. Public exploit code exists for this vulnerability.
Reflected XSS in changedetection.io versions prior to 0.54.4 allows unauthenticated remote attackers to inject malicious JavaScript through the /rss/tag/ endpoint via an unescaped tag_uuid parameter, enabling session hijacking or credential theft when victims visit crafted links. The vulnerability requires user interaction to trigger and affects the Flask-based application with public exploit code available. Users should upgrade to version 0.54.4 or later immediately.
changedetection.io is a free open source web page change detection tool. [CVSS 8.6 HIGH]
changedetection.io versions before 0.54.1 are vulnerable to reflected cross-site scripting (XSS) via the RSS endpoint, where user-supplied UUID parameters are rendered without HTML encoding in text/html responses, allowing attackers to execute arbitrary JavaScript in users' browsers. Public exploit code exists for this vulnerability. The issue affects Flask-based deployments and is resolved in version 0.54.1.
Changedetection.io versions before 0.53.2 allow unauthenticated attackers to read arbitrary files from the application directory through directory traversal in the static file serving endpoint. An attacker can exploit this by manipulating the group parameter to escape the intended static directory and access sensitive application files like source code. Public exploit code exists for this vulnerability, which has been patched in version 0.53.2.
changedetection.io is a free open source web page change detection tool. Rated low severity (CVSS 3.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.