CVE-2024-34061
MEDIUM4.3EPSS 27.7%changedetection.io Cross-site Scripting vulnerability
描述
### Summary Input in parameter notification_urls is not processed resulting in javascript execution in the application ### Details changedetection.io version: v0.45.21 https://github.com/dgtlmoon/changedetection.io/blob/0.45.21/changedetectionio/forms.py#L226 ``` for server_url in field.data: if not apobj.add(server_url): message = field.gettext('\'%s\' is not a valid AppRise URL.' % (server_url)) raise ValidationError(message) ``` ### PoC Setting > ADD Notification URL List  ``` "><img src=x onerror=alert(document.domain)> ```  Requests  ### Impact A reflected XSS vulnerability happens when the user input from a URL or POST data is reflected on the page without being stored, thus allowing the attacker to inject malicious content
受影響套件(1)
- PyPI/changedetection-iofrom 0, < 0.45.22
CVSS 分數
| 來源 | 版本 | 嚴重程度 | 向量 |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM4.3 | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N |
參考連結(5)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2024-34061
- PATCHhttps://github.com/dgtlmoon/changedetection.io
- WEBhttps://github.com/dgtlmoon/changedetection.io/blob/0.45.21/changedetectionio/forms.py#L226
- WEBhttps://github.com/dgtlmoon/changedetection.io/commit/c0f000b1d1ce03733460805dbbedde445fe2c762
- WEBhttps://github.com/dgtlmoon/changedetection.io/security/advisories/GHSA-pwgc-w4x9-gw67