CVE-2023-24769
Description
Changedetection.io before v0.40.1.1 was discovered to contain a stored cross-site scripting (XSS) vulnerability in the main page. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the URL parameter under the "Add a new change detection watch" function.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A stored XSS vulnerability in changedetection.io before v0.40.1.1 allows attackers to inject arbitrary JavaScript via the URL parameter when adding a new watch.
Vulnerability
Description Changedetection.io versions prior to v0.40.1.1 contain a stored cross-site scripting (XSS) vulnerability in the main page's "Add a new change detection watch" function. The vulnerability arises because the application does not properly sanitize the URL parameter before storing it, allowing an attacker to inject malicious web scripts or HTML. This input is later rendered on the watch list page without adequate escaping, leading to stored XSS [1][2].
Exploitation
An attacker can exploit this by crafting a payload containing malicious JavaScript and injecting it into the URL field when creating a new watch. The payload is then stored in the application's database and executed in the browser of any user who views the watch list page. No special privileges are required other than the ability to add a watch, which is a standard user function [1][2].
Impact
Successful exploitation allows an attacker to execute arbitrary JavaScript in the context of the victim's session. This can lead to session hijacking, defacement of the watch list page, theft of sensitive information displayed on the page, or forced actions on behalf of the victim. The vulnerability is classified as stored XSS, meaning the malicious code persists for all users who access the affected page [2][3].
Mitigation
The issue has been addressed in changedetection.io version 0.40.1.1. The fix includes restricting allowed URL protocols (e.g., HTTP, HTTPS, FTP) by default, with an environment variable SAFE_PROTOCOL_REGEX available for customization. Users are strongly advised to upgrade to the latest version. No workaround is provided for unpatched installations [4].
- GitHub - dgtlmoon/changedetection.io: Best and simplest tool for website change detection, web page monitoring, and website change alerts. Perfect for tracking content changes, price drops, restock alerts, and website defacement monitoring—all for free or enjoy our SaaS plan!
- NVD - CVE-2023-24769
- advisory-database/vulns/changedetection-io/PYSEC-2023-10.yaml at main · pypa/advisory-database
- Possible stored XSS in watch list - Only permit HTTP/HTTP/FTP by default - override with env var `SAFE_PROTOCOL_REGEX` by dgtlmoon · Pull Request #1359 · dgtlmoon/changedetection.io
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
changedetection.ioPyPI | < 0.40.2 | 0.40.2 |
Affected products
2- Changedetection.io/Changedetection.iodescription
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
7- github.com/advisories/GHSA-68wj-c2jw-5pp9ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2023-24769ghsaADVISORY
- github.com/dgtlmoon/changedetection.io/issues/1358ghsaWEB
- github.com/dgtlmoon/changedetection.io/pull/1359ghsaWEB
- github.com/pypa/advisory-database/tree/main/vulns/changedetection-io/PYSEC-2023-10.yamlghsaWEB
- www.edoardoottavianelli.it/CVE-2023-24769ghsaWEB
- www.youtube.com/watchghsaWEB
News mentions
0No linked articles in our index yet.