changedetection.io Cross-site Scripting vulnerability
Input in parameter notification_urls is not processed resulting in javascript execution in the application
Input in parameter notification_urls is not processed resulting in javascript execution in the application
changedetection.io is an open source tool designed to monitor websites for content changes. In affected versions the API endpoint /api/v1/watch/<uuid>/history can be accessed by any unauthorized user. As a result any unauthorized user can check one's watch history. However, because unauthorized party first needs to know a watch UUID, and the watch history endpoint itself returns only paths to the snapshot on the server, an impact on users' data privacy …
Changedetection.io before v0.40.1.1 was discovered to contain a stored cross-site scripting (XSS) vulnerability in the main page. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the URL parameter under the "Add a new change detection watch" function.