CVE-2024-51998
CVSS 3.1 Score 8.6 of 10 (high)
Details
Summary
CVE-2024-51998 is a vulnerability affecting the open-source web page change detection tool, changedetection.io. The tool's validation for file URI schemes is insufficient, allowing attackers to read arbitrary files on the system when a webdriver is enabled and `ALLOW_FILE_URI` is false or undefined. The issue arises because the check for URL protocol, `is_safe_url`, permits `file:` as a URL scheme, but does not require double slashes at the beginning, leading to a potential security loophole. This vulnerability has been resolved in version 0.47.06, and users are strongly urged to upgrade. No known workarounds are available.
Prevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.