Listen to this Post
How the CVE Works
The vulnerability CVE-2025-XXXXX in ChangeDetection.io arises due to insufficient input sanitization in the watch overview feature. When users create or modify website change detection watches, malicious JavaScript code can be injected via unfiltered error messages. This stored XSS payload executes when an administrator or another user views the affected watch entry, leading to arbitrary script execution in the context of the victim’s session. The flaw stems from improper handling of HTML/JS payloads in error feedback from monitored page responses.
DailyCVE Form
Platform: ChangeDetection.io
Version: <0.50.4
Vulnerability: Stored XSS
Severity: High
Date: 2025-06-21
Prediction: Patch by 2025-07-05
What Undercode Say
Analytics:
curl -X GET "http://target/changedetection/api/watch" | grep "script"
payload = "<script>alert('XSS')</script>"
requests.post(f"{target}/watch", data={"url": payload})
Exploit:
- Craft a watch with malicious JS in error-triggering URL.
2. Admin views watch list → payload executes.
Protection from this CVE:
- Update to v0.50.4.
- Sanitize watch error outputs.
Impact:
Session hijacking, admin compromise.
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
