PYSEC-2024-15

See a problem?
Import Source
https://github.com/pypa/advisory-database/blob/main/vulns/changedetection-io/PYSEC-2024-15.yaml
JSON Data
https://api.osv.dev/v1/vulns/PYSEC-2024-15
Aliases
Published
2024-01-19T20:15:00Z
Modified
2024-01-26T22:41:33.571254Z
Severity
  • 3.7 (Low) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N CVSS Calculator
Summary
[none]
Details

changedetection.io is an open source tool designed to monitor websites for content changes. In affected versions the API endpoint /api/v1/watch/<uuid>/history can be accessed by any unauthorized user. As a result any unauthorized user can check one's watch history. However, because unauthorized party first needs to know a watch UUID, and the watch history endpoint itself returns only paths to the snapshot on the server, an impact on users' data privacy is minimal. This issue has been addressed in version 0.45.13. Users are advised to upgrade. There are no known workarounds for this vulnerability.

References

Affected packages

PyPI / changedetection-io

Package

Name
changedetection-io
View open source insights on deps.dev
Purl
pkg:pypi/changedetection-io

Affected ranges

Type
GIT
Repo
https://github.com/dgtlmoon/changedetection.io
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Type
ECOSYSTEM
Events
Introduced
0.39.14
Fixed
0.45.13

Affected versions

0.*

0.39.14
0.39.14.1
0.39.15
0.39.16
0.39.17
0.39.17.1
0.39.17.2
0.39.18
0.39.19
0.39.19.1
0.39.20
0.39.20.1
0.39.20.2
0.39.20.3
0.39.20.4
0.39.21
0.39.21.1
0.39.22
0.39.22.1
0.40.0
0.40.0.1
0.40.0.2
0.40.0.3
0.40.0.4
0.40.1.0
0.40.1.1
0.40.2
0.40.3
0.41
0.41.1
0.42
0.42.1
0.42.2
0.42.3
0.43.1
0.43.2
0.44
0.44.1
0.45
0.45.1
0.45.2
0.45.3
0.45.4
0.45.5
0.45.6
0.45.7
0.45.7.1
0.45.7.2
0.45.7.3
0.45.8
0.45.8.1
0.45.9
0.45.11
0.45.12