changedetection.io Cross-site Scripting vulnerability
Moderate severity
GitHub Reviewed
Published
May 2, 2024
in
dgtlmoon/changedetection.io
•
Updated May 3, 2024
Description
Published by the National Vulnerability Database
May 2, 2024
Published to the GitHub Advisory Database
May 3, 2024
Reviewed
May 3, 2024
Last updated
May 3, 2024
Summary
Input in parameter notification_urls is not processed resulting in javascript execution in the application
Details
changedetection.io version: v0.45.21
https://github.com/dgtlmoon/changedetection.io/blob/0.45.21/changedetectionio/forms.py#L226
PoC
Setting > ADD Notification URL List
Requests
Impact
A reflected XSS vulnerability happens when the user input from a URL or POST data is reflected on the page without being stored, thus allowing the attacker to inject malicious content
References