4.3

CVSS Score

3.1

Basic Information

CVE ID

CVE-2024-34061

GHSA ID

GHSA-pwgc-w4x9-gw67

EPSS Score

0.94663%

CWE

CWE-79

Published

5/3/2024

Updated

5/3/2024

KEV Status

Technology

Python

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2024-34061

CVE-2024-34061: changedetection.io Cross-site Scripting vulnerability

Summary

Input in parameter notification_urls is not processed resulting in javascript execution in the application

Details

changedetection.io version: v0.45.21

https://github.com/dgtlmoon/changedetection.io/blob/0.45.21/changedetectionio/forms.py#L226

        for server_url in field.data:
            if not apobj.add(server_url):
                message = field.gettext('\'%s\' is not a valid AppRise URL.' % (server_url))
                raise ValidationError(message)

PoC

Setting > ADD Notification URL List

"><img src=x onerror=alert(document.domain)>

Requests

Impact

A reflected XSS vulnerability happens when the user input from a URL or POST data is reflected on the page without being stored, thus allowing the attacker to inject malicious content

(GitHub Advisory)

4.3

CVSS Score

3.1

Basic Information

CVE ID

CVE-2024-34061

GHSA ID

GHSA-pwgc-w4x9-gw67

EPSS Score

0.94663%

CWE

CWE-79

Published

5/3/2024

Updated

5/3/2024

KEV Status

Technology

Python

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
changedetection.io	pip	< 0.45.22	0.45.22

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from the error message construction in ValidateAppRiseServers validator. The code at line 226 uses string formatting to include user-supplied 'server_url' in validation errors ('%s' substitution). As shown in the PoC, when malicious HTML/JS is entered in notification_urls, it gets reflected unsanitized in the response. The lack of output encoding when rendering error messages containing user input enables XSS. The function is clearly identified in the vulnerability details and matches the attack vector described.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Summ*ry Input in p*r*m*t*r noti*i**tion_urls is not pro**ss** r*sultin* in j*v*s*ript *x**ution in t** *ppli**tion ### **t*ils ***n****t**tion.io v*rsion: v*.**.** *ttps://*it*u*.*om/**tlmoon/***n****t**tion.io/*lo*/*.**.**/***n****t**tionio/*

Reasoning

T** vuln*r**ility st*ms *rom t** *rror m*ss*** *onstru*tion in V*li**t**ppRis*S*rv*rs v*li**tor. T** *o** *t lin* *** us*s strin* *orm*ttin* to in*lu** us*r-suppli** 's*rv*r_url' in v*li**tion *rrors ('%s' su*stitution). *s s*own in t** Po*, w**n m*l

4.3

Basic Information

Concerned about an active attack path?

CVE-2024-34061: changedetection.io Cross-site Scripting vulnerability

Summary

Details

PoC

Impact

4.3

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI