Input Validation Flaw in Change Detection Service Exposes Sensitive Data
CVE-2024-56509

8.6HIGH

Key Information:

Vendor: Dgtlmoon
Status: Changedetection.io
Vendor: CVE Published:; 27 December 2024

What is CVE-2024-56509?

ChangeDetection.io, a popular open-source web page change detection and monitoring service, suffers from an input validation vulnerability that can be exploited to execute local file read (LFR) and path traversal attacks. This issue arises when the application inadequately sanitizes user input used to create file paths. Attackers can exploit this flaw by using specially crafted inputs like 'file:../../../etc/passwd' or 'file:///etc/passwd', which can circumvent weak validations and lead to unauthorized access to sensitive system files. Although fixes have been implemented in version 0.48.05, prior versions remain susceptible to exploitation, posing significant security risks.

Affected Version(s)

changedetection.io < 0.48.05

References

https://github.com/dgtlmoon/changedetection.io/security/a...

x_refsource_CONFIRM

https://github.com/dgtlmoon/changedetection.io/commit/f7e...

x_refsource_MISC

CVSS V3.1

Score:

8.6

Severity:

HIGH

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Dec 27, 2024
Vulnerability Reserved
Dec 26, 2024

CVE-2024-56509 Data

JSON

Dgtlmoon

What is CVE-2024-56509?

Affected Version(s)

References

CVSS V3.1

Timeline