Lucene search

Veracode Vulnerability DatabaseVERACODE:45136

HistoryJan 23, 2024 - 10:43 a.m.

Missing Authorization

2024-01-2310:43:43

Veracode Vulnerability Database

sca.analysiscenter.veracode.com

missing authorization

watchhistory

unauthorized access

CVSS3

3.7

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N

AI Score

6.7

Confidence

High

EPSS

0.001

Percentile

17.0%

JSON

changedetection_io is vulnerable to Missing Authorization. The vulnerability is due to a missing annotation @auth.check_token on the WatchHistory API endpoint /api/v1/watch//history. This can allows an unauthorized actor to access the endpoint (without providing a x-api-key header) and and check a users watch history.

References

github.com/dgtlmoon/changedetection.io/blob/9510345e01ea8e308c339163d8e8b030ce5ac7f1/changedetectionio/api/api_v1.py#L129-L156

github.com/dgtlmoon/changedetection.io/commit/402f1e47e78ecd155b1e90f30cce424ff7763e0f

github.com/dgtlmoon/changedetection.io/security/advisories/GHSA-hcvp-2cc7-jrwr

CVSS3

3.7

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N

AI Score

6.7

Confidence

High

EPSS

0.001

Percentile

17.0%

JSON

Related for VERACODE:45136