Primary

Context

changedetection.io Cross-Site Scripting Vulnerability in Error Handling

Vulnerability

Patched

A cross-site scripting (XSS) vulnerability has been identified in changedetection.io, a web page change detection and notification service, in versions prior to 0.50.4. The issue arises because errors in website change detection filters were not properly sanitized, allowing for the injection of malicious scripts.

Impact

The vulnerability allows for cross-site scripting, where an attacker can inject malicious scripts that are executed in the context of the user's browser.

Reproduction

To reproduce this vulnerability, create a watch that includes a filter generating an error. The error message will contain unfiltered text, including HTML elements such as images. This can be done by introducing a filter that is known to fail, such as one that expects a specific format or value that is not provided.

Remediation

Users can upgrade to changedetection.io version 0.50.4 or later, where this vulnerability has been patched.

Added: Jun 23, 2025, 9:45 PM

Updated: Jun 23, 2025, 9:45 PM

Vulnerability Rating

Custom Algorithm

spread

0.3

impact

1.7

exploitability

7.0

remediation

7.7

relevance

0.2

threat

4.8

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.3

impact

1.7

exploitability

7.0

remediation

7.7

relevance

0.2

threat

4.8

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

changedetection.io Cross-Site Scripting Vulnerability in Error Handling

Vulnerability

Impact

Reproduction

Remediation

Affected Products

changedetection.io

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating