changedetection.io has a Server Side Template Injection using Jinja2 which allows Remote Command Execution

Summary A Server Side Template Injection in changedetection.io caused by usage of unsafe functions of Jinja2 allows Remote Command Execution on the server host. Details changedetection.io version: 0.45.20 docker images REPOSITORY TAG IMAGE ID CREATED SIZE dgtlmoon/changedetection.io latest...

changedetection 0.45.20 Remote Code Execution Exploit

Exploit Title: changedetection = 0.45.20 Remote Code Execution RCE Exploit Author: Zach Crosman zcrosman Vendor Homepage: changedetection.io Software Link: https://github.com/dgtlmoon/changedetection.io Version: = 0.45.20 Tested on: Linux CVE : CVE-2024-32651 from pwn import import requests from...

changedetection 0.45.20 Remote Code Execution

Exploit Title: changedetection = 0.45.20 Remote Code Execution RCE Date: 5-26-2024 Exploit Author: Zach Crosman zcrosman Vendor Homepage: changedetection.io Software Link: https://github.com/dgtlmoon/changedetection.io Version: = 0.45.20 Tested on: Linux CVE : CVE-2024-32651 from pwn import impor...

changedetection.io Cross-site Scripting vulnerability

Summary Input in parameter notificationurls is not processed resulting in javascript execution in the application Details changedetection.io version: v0.45.21 https://github.com/dgtlmoon/changedetection.io/blob/0.45.21/changedetectionio/forms.pyL226 for serverurl in field.data: if not...

Reflected Cross-site Scripting (XSS)

changedetection.io is vulnerable to Reflected Cross-Site Scripting XSS. The vulnerability is due to insufficient input sanitization within the notificationurls parameter, resulting in malicious JavaScript execution on affected pages...

CVE-2024-34061

changedetection.io is a free open source web page change detection, website watcher, restock monitor and notification service. In affected versions Input in parameter notificationurls is not processed resulting in javascript execution in the application. A reflected XSS vulnerability happens when...

CVE-2024-34061

CVE-2024-34061 – Changedetection.io is affected in versions prior to 0.45.22. A reflected Cross‑Site Scripting (XSS) vulnerability arises because input in the notification_urls parameter is not properly sanitized and is reflected on the page, enabling injection of malicious JavaScript. The CVSS v...

CVE-2024-34061 Reflected cross site scripting in changedetection.io

changedetection.io is a free open source web page change detection, website watcher, restock monitor and notification service. In affected versions Input in parameter notificationurls is not processed resulting in javascript execution in the application. A reflected XSS vulnerability happens when...

CVE-2024-34061 Reflected cross site scripting in changedetection.io

changedetection.io is a free open source web page change detection, website watcher, restock monitor and notification service. In affected versions Input in parameter notificationurls is not processed resulting in javascript execution in the application. A reflected XSS vulnerability happens when...

CVE-2024-32651

Changedetection.io is affected by CVE-2024-32651 due to a Server-Side Template Injection (SSTI) in Jinja2 that enables Remote Command Execution on the server host. The Nuclei template and OSV entry describe an unauthenticated RCE condition via unsafe Jinja2 usage, enabling attackers to execute ar...

ChangeDetection.io 安全漏洞

changedetection.io is a website change detection, monitoring and notification application by dgtlmoon individual developer. A security vulnerability exists in ChangeDetection.io versions prior to 21.045 that stems from server-side template injection using an insecure feature of Jinja2 that allows...

changedetection.io API endpoint is not secured with API token

Summary API endpoint /api/v1/watch//history can be accessed by any unauthorized user. Details WatchHistory resource does not have @auth.checktoken annotation, which means it can be accessed without providing x-api-key header...

CVE-2024-23329

changedetection.io is an open source tool designed to monitor websites for content changes. In affected versions the API endpoint /api/v1/watch//history can be accessed by any unauthorized user. As a result any unauthorized user can check one's watch history. However, because unauthorized party...

Design/Logic Flaw

changedetection.io is an open source tool designed to monitor websites for content changes. In affected versions the API endpoint /api/v1/watch//history can be accessed by any unauthorized user. As a result any unauthorized user can check one's watch history. However, because unauthorized party...

PYSEC-2024-15

changedetection.io is an open source tool designed to monitor websites for content changes. In affected versions the API endpoint /api/v1/watch//history can be accessed by any unauthorized user. As a result any unauthorized user can check one's watch history. However, because unauthorized party...

CVE-2024-23329 changedetection.io API endpoint is not secured with API token

changedetection.io is an open source tool designed to monitor websites for content changes. In affected versions the API endpoint /api/v1/watch//history can be accessed by any unauthorized user. As a result any unauthorized user can check one's watch history. However, because unauthorized party...

CVE-2024-23329

Product/issue: changedetection.io Vulnerability: The API endpoint /api/v1/watch//history can be accessed by an unauthorized user, exposing watch history paths. The underlying cause is missing access control on the WatchHistory resource. Impact (as stated): Unauthorized access to watch history wit...

changedetection.io security vulnerability

changedetection.io is a website change detection, monitoring and notification application by dgtlmoon individual developer. A security vulnerability exists in changedetection.io that stems from the fact that any unauthorized user can check their viewing history...

GHSA-68WJ-C2JW-5PP9 Stored cross site scripting in changedetection.io

Changedetection.io before 0.40.2 was discovered to contain a stored cross-site scripting XSS vulnerability in the main page. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the URL parameter under the "Add a new change detection...

CVE-2023-24769

Changedetection.io before v0.40.1.1 was discovered to contain a stored cross-site scripting XSS vulnerability in the main page. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the URL parameter under the "Add a new change detection...