changedetection.io@0.45.20 vulnerabilities

Website change detection and monitoring service, detect changes to web pages and send alerts/notifications.

latest version

0.45.23
latest non vulnerable version

0.45.23
first published

3 years ago
latest version published

10 days ago
licenses detected
- Apache-2.0
  [0,)
View changedetection.io package health on Snyk Advisor Open this link in a new tab

Report a new vulnerability Found a mistake?

Direct Vulnerabilities

Known vulnerabilities in the changedetection.io package. This does not include vulnerabilities belonging to this package’s dependencies.

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.

Fix for free

Vulnerability Vulnerable Version

Vulnerability	Vulnerable Version
M Cross-Site Scripting (XSS) changedetection.io is a Website change detection and monitoring service Affected versions of this package are vulnerable to Cross-Site Scripting (XSS) due to improper sanitization of user input in the `notification_urls` parameter. An attacker can inject malicious scripts into the web page, which are executed in the context of the user's browser session when the malicious URL is visited, or malicious POST data is submitted. How to fix Cross-Site Scripting (XSS)? Upgrade `changedetection.io` to version 0.45.22 or higher.	[,0.45.22)
C Server-Side Template Injection changedetection.io is a Website change detection and monitoring service Affected versions of this package are vulnerable to Server-Side Template Injection due to improper handling of template data. An attacker can execute arbitrary commands on the server by crafting malicious input that exploits the template rendering process. Notes: This can be reduced if `changedetection` access is protected by login page with a password, but this isn't required by the application (not by default and not enforced). 2)This vulnerability is particularly severe as it allows for complete server takeover without any restrictions, such as running a reverse shell. How to fix Server-Side Template Injection? Upgrade `changedetection.io` to version 0.45.21 or higher.	[,0.45.21)

Cross-Site Scripting (XSS)

changedetection.io is a Website change detection and monitoring service

Affected versions of this package are vulnerable to Cross-Site Scripting (XSS) due to improper sanitization of user input in the notification_urls parameter. An attacker can inject malicious scripts into the web page, which are executed in the context of the user's browser session when the malicious URL is visited, or malicious POST data is submitted.

How to fix Cross-Site Scripting (XSS)?

Upgrade changedetection.io to version 0.45.22 or higher.

[,0.45.22)

Server-Side Template Injection

changedetection.io is a Website change detection and monitoring service

Affected versions of this package are vulnerable to Server-Side Template Injection due to improper handling of template data. An attacker can execute arbitrary commands on the server by crafting malicious input that exploits the template rendering process.

Notes:

This can be reduced if changedetection access is protected by login page with a password, but this isn't required by the application (not by default and not enforced).

2)This vulnerability is particularly severe as it allows for complete server takeover without any restrictions, such as running a reverse shell.

How to fix Server-Side Template Injection?

Upgrade changedetection.io to version 0.45.21 or higher.

[,0.45.21)

Go back to all versions of this package

changedetection.io@0.45.20 vulnerabilities

Website change detection and monitoring service, detect changes to web pages and send alerts/notifications.

latest version

latest non vulnerable version

first published

latest version published

licenses detected

Direct Vulnerabilities