Lucene search

Veracode Vulnerability DatabaseVERACODE:45136

HistoryJan 23, 2024 - 10:43 a.m.

Missing Authorization

2024-01-2310:43:43

Veracode Vulnerability Database

sca.analysiscenter.veracode.com

missing authorization

watchhistory

unauthorized access

3.7 Low

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N

6.7 Medium

AI Score

Confidence

High

0.0005 Low

EPSS

Percentile

17.0%

JSON

changedetection_io is vulnerable to Missing Authorization. The vulnerability is due to a missing annotation @auth.check_token on the WatchHistory API endpoint /api/v1/watch//history. This can allows an unauthorized actor to access the endpoint (without providing a x-api-key header) and and check a users watch history.

CPENameOperatorVersion
changedetection.iole0.45.12
changedetection.iole0.45.12

CPE	Name	Operator	Version
	changedetection.io	le	0.45.12
	changedetection.io	le	0.45.12

References

github.com/dgtlmoon/changedetection.io/blob/9510345e01ea8e308c339163d8e8b030ce5ac7f1/changedetectionio/api/api_v1.py#L129-L156

github.com/dgtlmoon/changedetection.io/commit/402f1e47e78ecd155b1e90f30cce424ff7763e0f

github.com/dgtlmoon/changedetection.io/security/advisories/GHSA-hcvp-2cc7-jrwr

3.7 Low

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N

6.7 Medium

AI Score

Confidence

High

0.0005 Low

EPSS

Percentile

17.0%

JSON

Related for VERACODE:45136