changedetection.io is an open source web page change detection, website watcher, restock monitor and notification service. There is a Server Side Template Injection (SSTI) in Jinja2 that allows Remote Command Execution on the server host. Attackers can run any system command without any restriction and they could use a reverse shell. The impact is critical as the attacker can completely takeover the server machine. This can be reduced if changedetection is behind a login page, but this isn't required by the application (not by default and not enforced).
References
Configurations
No configuration.
History
07 Jun 2024, 17:15
Type | Values Removed | Values Added |
---|---|---|
References |
|
|
Summary |
|
26 Apr 2024, 00:15
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2024-04-26 00:15
Updated : 2024-06-07 17:15
NVD link : CVE-2024-32651
Mitre link : CVE-2024-32651
CVE.ORG link : CVE-2024-32651
JSON object : View
Products Affected
No product.
CWE
CWE-1336
Improper Neutralization of Special Elements Used in a Template Engine