CVSS: 8.6EPSS: 0%CPEs: 1EXPL: 0CVE-2024-51998 – Path traversal using file URI scheme without supplying hostname in changedetection.io
https://notcve.org/view.php?id=CVE-2024-51998
changedetection.io is a free open source web page change detection tool. The validation for the file URI scheme falls short, and results in an attacker being able to read any file on the system. This issue only affects instances with a webdriver enabled, and `ALLOW_FILE_URI` false or not defined. The check used for URL protocol, `is_safe_url`, allows `file:` as a URL scheme. It later checks if local files are permitted, but one of the preconditions for the check is that the URL starts with `file://`. • https://github.com/dgtlmoon/changedetection.io/blob/e0abf0b50507a8a3d0c1d8522ab23519b3e4cdf4/changedetectionio/model/Watch.py#L11-L13 https://github.com/dgtlmoon/changedetection.io/commit/49bc982c697169c98b79698889fb9d26f6b3317f https://github.com/dgtlmoon/changedetection.io/security/advisories/GHSA-6jrf-rcjf-245r • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 6.9EPSS: 0%CPEs: 1EXPL: 0CVE-2024-51483 – changedetection.io Path Traversal vulnerability
https://notcve.org/view.php?id=CVE-2024-51483
changedetection.io is free, open source web page change detection software. Prior to version 0.47.5, when a WebDriver is used to fetch files, `source:file:///etc/passwd` can be used to retrieve local system files, where the more traditional `file:///etc/passwd` gets blocked. Version 0.47.5 fixes the issue. • https://github.com/dgtlmoon/changedetection.io/blob/master/changedetectionio/model/Watch.py#L19 https://github.com/dgtlmoon/changedetection.io/blob/master/changedetectionio/processors/__init__.py#L35 https://github.com/dgtlmoon/changedetection.io/security/advisories/GHSA-cwgg-57xj-g77r https://github.com/user-attachments/files/17591630/CL-ChangeDetection.io.Path.Travsersal-311024-181039.pdf • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2024-34061 – Reflected cross site scripting in changedetection.io
https://notcve.org/view.php?id=CVE-2024-34061
changedetection.io is a free open source web page change detection, website watcher, restock monitor and notification service. In affected versions Input in parameter notification_urls is not processed resulting in javascript execution in the application. A reflected XSS vulnerability happens when the user input from a URL or POST data is reflected on the page without being stored, thus allowing the attacker to inject malicious content. This issue has been addressed in version 0.45.22. Users are advised to upgrade. • https://github.com/dgtlmoon/changedetection.io/commit/c0f000b1d1ce03733460805dbbedde445fe2c762 https://github.com/dgtlmoon/changedetection.io/security/advisories/GHSA-pwgc-w4x9-gw67 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 2CVE-2024-32651 – Server Side Template Injection in Jinja2 allows Remote Command Execution
https://notcve.org/view.php?id=CVE-2024-32651
changedetection.io is an open source web page change detection, website watcher, restock monitor and notification service. There is a Server Side Template Injection (SSTI) in Jinja2 that allows Remote Command Execution on the server host. Attackers can run any system command without any restriction and they could use a reverse shell. The impact is critical as the attacker can completely takeover the server machine. This can be reduced if changedetection is behind a login page, but this isn't required by the application (not by default and not enforced). changetection.io es un servicio de detección de cambios de páginas web, seguimiento de sitios web, monitor de reabastecimiento y notificación de código abierto. • https://github.com/zcrosman/cve-2024-32651 https://github.com/s0ck3t-s3c/CVE-2024-32651-changedetection-RCE https://blog.hacktivesecurity.com/index.php/2024/05/08/cve-2024-32651-server-side-template-injection-changedetection-io https://github.com/dgtlmoon/changedetection.io/releases/tag/0.45.21 https://github.com/dgtlmoon/changedetection.io/security/advisories/GHSA-4r7v-whpg-8rx3 https://www.onsecurity.io/blog/server-side-template-injection-with-jinja2 • CWE-1336: Improper Neutralization of Special Elements Used in a Template Engine •