CVE-2024-34061
changedetection.io Cross-site Scripting vulnerability
Description
### Summary Input in parameter notification_urls is not processed resulting in javascript execution in the application ### Details changedetection.io version: v0.45.21 https://github.com/dgtlmoon/changedetection.io/blob/0.45.21/changedetectionio/forms.py#L226 ``` for server_url in field.data: if not apobj.add(server_url): message = field.gettext('\'%s\' is not a valid AppRise URL.' % (server_url)) raise ValidationError(message) ``` ### PoC Setting > ADD Notification URL List  ``` "><img src=x onerror=alert(document.domain)> ```  Requests  ### Impact A reflected XSS vulnerability happens when the user input from a URL or POST data is reflected on the page without being stored, thus allowing the attacker to inject malicious content
How to fix CVE-2024-34061
To remediate CVE-2024-34061, upgrade the affected package to a fixed version below.
- —upgrade to 0.45.22 or later
Is CVE-2024-34061 being exploited?
Moderate — EPSS is 24.9%. Track this CVE but it's not at the top of the prioritisation list.
Affected packages (1)
- from 0, < 0.45.22
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM4.3 | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N |