Homepage
About Snyk

Cross-Site Scripting (XSS) Affecting changedetection.io package, versions [,0.45.22)

Severity

 Recommended
0.0
medium
0
10

CVSS assessment made by Snyk's Security Team

    Threat Intelligence

    Exploit Maturity
    Proof of concept
    EPSS
    0.05% (23rd percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk ID SNYK-PYTHON-CHANGEDETECTIONIO-6785194
  • published 2 May 2024
  • disclosed 2 May 2024
  • credit Nguyen-Trung-Kien
Report a new vulnerability Found a mistake?

Introduced: 2 May 2024

CVE-2024-34061 Open this link in a new tab
CWE-79 Open this link in a new tab

How to fix?

Upgrade changedetection.io to version 0.45.22 or higher.

Overview

changedetection.io is a Website change detection and monitoring service

Affected versions of this package are vulnerable to Cross-Site Scripting (XSS) due to improper sanitization of user input in the notification_urls parameter. An attacker can inject malicious scripts into the web page, which are executed in the context of the user's browser session when the malicious URL is visited, or malicious POST data is submitted.

CVSS Scores

version 3.1
Expand this section

Snyk

Recommended
4.3 medium
  • Attack Vector (AV)
    Network
  • Attack Complexity (AC)
    Low
  • Privileges Required (PR)
    None
  • User Interaction (UI)
    Required
  • Scope (S)
    Unchanged
  • Confidentiality (C)
    None
  • Integrity (I)
    Low
  • Availability (A)
    None