CVE-2024-23329: changedetection.io API endpoint is not secured with API token
(updated )
API endpoint /api/v1/watch/<uuid>/history can be accessed by any unauthorized user.
References
- github.com/advisories/GHSA-hcvp-2cc7-jrwr
- github.com/dgtlmoon/changedetection.io
- github.com/dgtlmoon/changedetection.io/blob/9510345e01ea8e308c339163d8e8b030ce5ac7f1/changedetectionio/api/api_v1.py
- github.com/dgtlmoon/changedetection.io/commit/402f1e47e78ecd155b1e90f30cce424ff7763e0f
- github.com/dgtlmoon/changedetection.io/security/advisories/GHSA-hcvp-2cc7-jrwr
- github.com/pypa/advisory-database/tree/main/vulns/changedetection-io/PYSEC-2024-15.yaml
- nvd.nist.gov/vuln/detail/CVE-2024-23329
Detect and mitigate CVE-2024-23329 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →