changedetection.io Reflected Cross-Site Scripting Vulnerability in RSS Single-Watch Endpoint

A reflected cross-site scripting vulnerability has been identified in changedetection.io, a web page change detection tool, in versions prior to 0.54.1. The issue arises in the RSS single-watch endpoint, which reflects the UUID path parameter directly in the HTTP response body without proper HTML escaping. This flaw allows injected JavaScript to be executed in the context of the user's session. The vulnerability was confirmed on version 0.53.6 and affects several instances in the wild.

Impact

Exploitation of this vulnerability allows for session cookie theft through exfiltration via the document.cookie property. If the session cookies do not have the HttpOnly flag, this could lead to account takeover. Additionally, the vulnerability could be used for phishing attacks by crafting links that appear to come from a trusted changedetection.io instance.

Reproduction

To reproduce this vulnerability, extract a valid RSS access token from the homepage of a changedetection.io instance. Then, craft a URL for the RSS single-watch endpoint that includes a UUID parameter with an unescaped XSS payload, such as an image tag with an onerror event. Send this link to a victim with an active session on the same changedetection.io instance. When the victim clicks the link, the injected JavaScript will execute in their session context.

Remediation

Users are advised to update to changedetection.io version 0.54.1 or later, where this vulnerability has been fixed.