Homepage
About Snyk

changedetection.io@0.39.11 vulnerabilities

Website change detection and monitoring service, detect changes to web pages and send alerts/notifications.

Go back to all versions of this package
Report a new vulnerability Found a mistake?

Direct Vulnerabilities

Known vulnerabilities in the changedetection.io package. This does not include vulnerabilities belonging to this package’s dependencies.

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.
Fix for free
Vulnerability Vulnerable Version
  • M
Cross-Site Scripting (XSS)

changedetection.io is a Website change detection and monitoring service

Affected versions of this package are vulnerable to Cross-Site Scripting (XSS) due to improper sanitization of user input in the notification_urls parameter. An attacker can inject malicious scripts into the web page, which are executed in the context of the user's browser session when the malicious URL is visited, or malicious POST data is submitted.

How to fix Cross-Site Scripting (XSS)?

Upgrade changedetection.io to version 0.45.22 or higher.

[,0.45.22)
  • C
Server-Side Template Injection

changedetection.io is a Website change detection and monitoring service

Affected versions of this package are vulnerable to Server-Side Template Injection due to improper handling of template data. An attacker can execute arbitrary commands on the server by crafting malicious input that exploits the template rendering process.

Notes:

  1. This can be reduced if changedetection access is protected by login page with a password, but this isn't required by the application (not by default and not enforced).

2)This vulnerability is particularly severe as it allows for complete server takeover without any restrictions, such as running a reverse shell.

How to fix Server-Side Template Injection?

Upgrade changedetection.io to version 0.45.21 or higher.

[,0.45.21)
  • L
Incorrect Authorization

changedetection.io is a Website change detection and monitoring service

Affected versions of this package are vulnerable to Incorrect Authorization via the API endpoint /api/v1/watch/<uuid>/history. An attacker can access watch history information without proper authorization by knowing a watch UUID. Although the exposed data is limited to paths to snapshots on the server, it could lead to a minimal impact on user data privacy.

How to fix Incorrect Authorization?

Upgrade changedetection.io to version 0.45.13 or higher.

[,0.45.13)
  • M
Cross-site Scripting (XSS)

changedetection.io is a Website change detection and monitoring service

Affected versions of this package are vulnerable to Cross-site Scripting (XSS) in the main page which allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the URL parameter under the "Add a new change detection watch" function.

How to fix Cross-site Scripting (XSS)?

Upgrade changedetection.io to version 0.40.2 or higher.

[,0.40.2)
Go back to all versions of this package