changedetectionio, Stored Cross-Site Scripting, CVE-2024-XXXX (Critical)

By /

Listen to this Post

How the CVE Works

The vulnerability arises from an inconsistency in security validation between the changedetection.io web interface and its backend API. The web UI correctly utilizes a `validate_url()` function, which calls is_safe_url(), to block unsafe URL protocols like javascript:. However, the Watch update API endpoint (/api/v1/watch/<uuid>) completely bypasses this security check. An attacker can send a crafted PUT request to this API, containing a malicious JavaScript payload in the `url` field. This payload is then stored in the application’s database. When an authenticated user later views their watch list and clicks the “Preview” button for the compromised watch, the malicious link is rendered. Clicking this link executes the attacker’s JavaScript code in the context of the user’s session, leading to a Stored Cross-Site Scripting (XSS) attack.

DailyCVE

Platform: changedetection.io
Version: v0.50.24
Vulnerability: Stored XSS
Severity: Critical
date: 2024-10-23

Prediction: Patch expected 2024-11-06

What Undercode Say

curl -X PUT "http://example.site/api/v1/watch/1242e1c5-d59e-4352-0078-203a55b21282" \
-H "x-api-key: XXX" \
-H "Content-Type: application/json" \
-d '{"url": "javascript:alert(document.domain)"}'

Simplified code logic showing the vulnerability
def validate_url(test_url):
from .model.Watch import is_safe_url
if not is_safe_url(test_url): This check is bypassed by the API
raise ValidationError('Unsafe URL protocol')
API endpoint handler (vulnerable)
def api_update_watch(watch_id):
data = request.get_json()
Missing call to validate_url(data['url'])
watch.url = data['url'] Unsafe URL is stored directly
watch.save()

How Exploit

  1. Attacker obtains an API key or exploits a CSRF flaw.

2. Attacker sends a PUT request to `/api/v1/watch/`.

  1. Request payload sets the `url` field to a `javascript:` payload.

4. Payload is stored in the database.

5. User clicks the malicious watch link.

6. Payload executes in the user’s browser.

Protection from this CVE

1. Apply input validation universally.

2. Sanitize all user-supplied data.

3. Enforce strict CSP headers.

4. Patch to v0.50.25 or newer.

Impact

Session Hijacking

Data Theft

Account Takeover

Admin Compromise

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top