{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/vendors/dgtlmoon/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["changedetection.io (\u003c= 0.54.10)"],"_cs_severities":["medium"],"_cs_tags":["arbitrary-file-read","vulnerability","changedetection.io"],"_cs_type":"advisory","_cs_vendors":["dgtlmoon"],"content_html":"\u003cp\u003eA vulnerability exists in changedetection.io versions 0.54.10 and earlier that allows for arbitrary local file read. This flaw stems from the application\u0026rsquo;s trust of attacker-controlled snapshot paths when restoring from backup files. By crafting a malicious backup ZIP archive, an attacker can manipulate the \u003ccode\u003ehistory.txt\u003c/code\u003e file within the archive to include a path to a sensitive local file accessible to the application process. Upon restoring the crafted backup, the application reads and displays the contents of the targeted file through the Preview UI or the watch history API, effectively bypassing intended access controls. This vulnerability, identified as CVE-2026-43891, poses a significant risk to deployments where the application has access to sensitive system files, secrets, or configuration data.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker creates a normal watch in the changedetection.io UI to generate a valid history entry.\u003c/li\u003e\n\u003cli\u003eThe attacker creates a backup archive using the application\u0026rsquo;s built-in backup functionality.\u003c/li\u003e\n\u003cli\u003eThe attacker extracts the backup archive and locates the watch UUID directory containing the \u003ccode\u003ewatch.json\u003c/code\u003e file.\u003c/li\u003e\n\u003cli\u003eThe attacker modifies the \u003ccode\u003ehistory.txt\u003c/code\u003e file within the watch UUID directory, replacing the latest history entry with a path to a sensitive local file (e.g., \u003ccode\u003e/etc/passwd\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe attacker repacks the backup archive, ensuring that the UUID directories are located at the root of the ZIP archive.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the restore functionality within the changedetection.io UI to restore the modified backup archive, replacing existing watches.\u003c/li\u003e\n\u003cli\u003eAfter the restore process completes, the attacker accesses the \u0026ldquo;Preview\u0026rdquo; function for the restored watch.\u003c/li\u003e\n\u003cli\u003eThe application reads the attacker-controlled path from \u003ccode\u003ehistory.txt\u003c/code\u003e and displays the contents of the referenced local file in the Preview UI.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows an attacker to read arbitrary local files accessible to the changedetection.io application process. This can lead to the disclosure of sensitive information such as system files (e.g., \u003ccode\u003e/etc/passwd\u003c/code\u003e), application configuration files, API tokens, database credentials, and other secrets. The impact is particularly severe in Docker or host-mounted environments where secrets and configuration files are explicitly readable by the service. This vulnerability can lead to complete compromise of the application and potentially the underlying system, allowing an attacker to gain unauthorized access to sensitive data and potentially escalate their privileges.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade to a version of changedetection.io later than 0.54.10 to patch CVE-2026-43891.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect changedetection.io Arbitrary File Read Attempt\u0026rdquo; to identify attempts to access sensitive files via the history.txt file.\u003c/li\u003e\n\u003cli\u003eImplement strict file access controls to limit the application\u0026rsquo;s access to only the necessary files and directories.\u003c/li\u003e\n\u003cli\u003eAs described in the advisory, normalize every history entry to \u003ccode\u003eos.path.basename(v)\u003c/code\u003e in the \u003ccode\u003eWatch.py\u003c/code\u003e file.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-03-changedetectionio-file-read/","summary":"changedetection.io is vulnerable to arbitrary local file read due to insufficient validation of snapshot paths restored from backup files, allowing attackers to read sensitive files by crafting a malicious backup archive containing a manipulated `history.txt` file.","title":"changedetection.io Arbitrary Local File Read via Crafted Backup Restore","url":"https://feed.craftedsignal.io/briefs/2024-01-03-changedetectionio-file-read/"}],"language":"en","title":"CraftedSignal Threat Feed — Dgtlmoon","version":"https://jsonfeed.org/version/1.1"}