Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
changedetection.io Vulnerable to Server-Side Request Forgery (SSRF) via Watch URLs
Vulnerability Description
changedetection.io is a free open source web page change detection tool. In versions prior to 0.54.1, changedetection.io is vulnerable to Server-Side Request Forgery (SSRF) because the URL validation function `is_safe_valid_url()` does not validate the resolved IP address of watch URLs against private, loopback, or link-local address ranges. An authenticated user (or any user when no password is configured, which is the default) can add a watch for internal network URLs. The application fetches these URLs server-side, stores the response content, and makes it viewable through the web UI — enabling full data exfiltration from internal services. Version 0.54.1 contains a fix for the issue.
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
Vulnerability Type
服务端请求伪造(SSRF)
Vulnerability Title
changedetection.io 安全漏洞
Vulnerability Description
changedetection.io是dgtlmoon个人开发者的一个网站变更检测、监控和通知应用程序。 changedetection.io 0.54.1之前版本存在安全漏洞,该漏洞源于URL验证函数is_safe_valid_url()未针对私有、环回或链路本地地址范围验证监视URL的解析IP地址,可能导致经过身份验证的用户(或在未配置密码的默认情况下任何用户)添加对内部网络URL的监视,从而引发服务端请求伪造,导致内部服务数据泄露。
CVSS Information
N/A
Vulnerability Type
N/A