CVE-2024-23329: 
Python vulnerability analysis and mitigation

The vulnerability (CVE-2024-23329) affects changedetection.io, an open-source tool designed to monitor websites for content changes. In affected versions (0.39.14 to 0.45.12), the API endpoint /api/v1/watch//history can be accessed by any unauthorized user due to missing authentication checks. The vulnerability was discovered and disclosed on January 19, 2024, and has been addressed in version 0.45.13 (GitHub Advisory).

The vulnerability stems from the WatchHistory resource lacking the @auth.check_token annotation in the API implementation, which means it can be accessed without providing the required x-api-key header. The issue has been assigned a CVSS v3.1 base score of 3.7 (Low) with the vector string CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N, indicating network accessibility with high attack complexity, no privileges required, and low confidentiality impact (GitHub Advisory).

The vulnerability allows unauthorized users to access watch history information. However, the impact is considered minimal because an attacker would first need to know a watch UUID, and the watch history endpoint only returns paths to snapshots on the server rather than the actual content (GitHub Advisory).

The vulnerability has been fixed in version 0.45.13 by adding proper API token secure checks for the affected endpoint. Users are advised to upgrade to this version or later. No alternative workarounds have been provided (GitHub Advisory).