changedetection.io 0.40.1.1 vulnerabilities

Known vulnerabilities in the changedetection.io package. This does not include vulnerabilities belonging to this package’s dependencies.

Vulnerability	Vulnerable Version
C Directory Traversal changedetection.io is a Website change detection and monitoring service Affected versions of this package are vulnerable to Directory Traversal on URLs received as input. An attacker can read local files via the watch preview functionality. URLs are not sufficiently checked for paths that traverse directories with a "dot-dot" pattern, paths beginning with a space. How to fix Directory Traversal? Upgrade `changedetection.io` to version 0.48.5 or higher.	[,0.48.5)
H Directory Traversal changedetection.io is a Website change detection and monitoring service Affected versions of this package are vulnerable to Directory Traversal due to improper validation for the file `URI` scheme. An attacker can read any file on the system by crafting a URL that bypasses the intended restrictions on local file access. Note: This issue only affects instances with a `webdriver` enabled, and `ALLOW_FILE_URI` false or not defined. How to fix Directory Traversal? Upgrade `changedetection.io` to version 0.47.6 or higher.	[,0.47.6)
M Directory Traversal changedetection.io is a Website change detection and monitoring service Affected versions of this package are vulnerable to Directory Traversal via the `Watch.py` and `__init__.py` files, an attacker can read arbitrary files on the system by manipulating the file URL to bypass security checks designed to block traditional file access methods. How to fix Directory Traversal? Upgrade `changedetection.io` to version 0.47.5 or higher.	[,0.47.5)
M Cross-site Scripting (XSS) changedetection.io is a Website change detection and monitoring service Affected versions of this package are vulnerable to Cross-site Scripting (XSS) due to improper sanitization of user input in the `notification_urls` parameter. An attacker can inject malicious scripts into the web page, which are executed in the context of the user's browser session when the malicious URL is visited, or malicious POST data is submitted. How to fix Cross-site Scripting (XSS)? Upgrade `changedetection.io` to version 0.45.22 or higher.	[,0.45.22)
C Server-Side Template Injection changedetection.io is a Website change detection and monitoring service Affected versions of this package are vulnerable to Server-Side Template Injection due to improper handling of template data. An attacker can execute arbitrary commands on the server by crafting malicious input that exploits the template rendering process. Notes: This can be reduced if `changedetection` access is protected by login page with a password, but this isn't required by the application (not by default and not enforced). 2)This vulnerability is particularly severe as it allows for complete server takeover without any restrictions, such as running a reverse shell. How to fix Server-Side Template Injection? Upgrade `changedetection.io` to version 0.45.21 or higher.	[,0.45.21)
L Incorrect Authorization changedetection.io is a Website change detection and monitoring service Affected versions of this package are vulnerable to Incorrect Authorization via the API endpoint `/api/v1/watch/<uuid>/history`. An attacker can access watch history information without proper authorization by knowing a watch UUID. Although the exposed data is limited to paths to snapshots on the server, it could lead to a minimal impact on user data privacy. How to fix Incorrect Authorization? Upgrade `changedetection.io` to version 0.45.13 or higher.	[,0.45.13)
M Cross-site Scripting (XSS) changedetection.io is a Website change detection and monitoring service Affected versions of this package are vulnerable to Cross-site Scripting (XSS) in the main page which allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the URL parameter under the "Add a new change detection watch" function. How to fix Cross-site Scripting (XSS)? Upgrade `changedetection.io` to version 0.40.2 or higher.	[,0.40.2)

Vulnerability

Vulnerable Version

Directory Traversal

changedetection.io is a Website change detection and monitoring service

Affected versions of this package are vulnerable to Directory Traversal on URLs received as input. An attacker can read local files via the watch preview functionality. URLs are not sufficiently checked for paths that traverse directories with a "dot-dot" pattern, paths beginning with a space.

How to fix Directory Traversal?

Upgrade changedetection.io to version 0.48.5 or higher.

[,0.48.5)

Directory Traversal

changedetection.io is a Website change detection and monitoring service

Affected versions of this package are vulnerable to Directory Traversal due to improper validation for the file URI scheme. An attacker can read any file on the system by crafting a URL that bypasses the intended restrictions on local file access.

Note: This issue only affects instances with a webdriver enabled, and ALLOW_FILE_URI false or not defined.

How to fix Directory Traversal?

Upgrade changedetection.io to version 0.47.6 or higher.

[,0.47.6)

Directory Traversal

changedetection.io is a Website change detection and monitoring service

Affected versions of this package are vulnerable to Directory Traversal via the Watch.py and __init__.py files, an attacker can read arbitrary files on the system by manipulating the file URL to bypass security checks designed to block traditional file access methods.

How to fix Directory Traversal?

Upgrade changedetection.io to version 0.47.5 or higher.

[,0.47.5)

Cross-site Scripting (XSS)

changedetection.io is a Website change detection and monitoring service

Affected versions of this package are vulnerable to Cross-site Scripting (XSS) due to improper sanitization of user input in the notification_urls parameter. An attacker can inject malicious scripts into the web page, which are executed in the context of the user's browser session when the malicious URL is visited, or malicious POST data is submitted.

How to fix Cross-site Scripting (XSS)?

Upgrade changedetection.io to version 0.45.22 or higher.

[,0.45.22)

Server-Side Template Injection

changedetection.io is a Website change detection and monitoring service

Affected versions of this package are vulnerable to Server-Side Template Injection due to improper handling of template data. An attacker can execute arbitrary commands on the server by crafting malicious input that exploits the template rendering process.

Notes:

This can be reduced if changedetection access is protected by login page with a password, but this isn't required by the application (not by default and not enforced).

2)This vulnerability is particularly severe as it allows for complete server takeover without any restrictions, such as running a reverse shell.

How to fix Server-Side Template Injection?

Upgrade changedetection.io to version 0.45.21 or higher.

[,0.45.21)

Incorrect Authorization

changedetection.io is a Website change detection and monitoring service

Affected versions of this package are vulnerable to Incorrect Authorization via the API endpoint /api/v1/watch/<uuid>/history. An attacker can access watch history information without proper authorization by knowing a watch UUID. Although the exposed data is limited to paths to snapshots on the server, it could lead to a minimal impact on user data privacy.

How to fix Incorrect Authorization?

Upgrade changedetection.io to version 0.45.13 or higher.

[,0.45.13)

Cross-site Scripting (XSS)

changedetection.io is a Website change detection and monitoring service

Affected versions of this package are vulnerable to Cross-site Scripting (XSS) in the main page which allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the URL parameter under the "Add a new change detection watch" function.

How to fix Cross-site Scripting (XSS)?

Upgrade changedetection.io to version 0.40.2 or higher.

[,0.40.2)

changedetection.io@0.40.1.1 vulnerabilities

Website change detection and monitoring service, detect changes to web pages and send alerts/notifications.

latest version

latest non vulnerable version

first published

latest version published

licenses detected

Direct Vulnerabilities

How to fix?