CVE-2024-32651: Server Side Template Injection in Jinja2 allows Remote Command Execution

10.0 CVSS

Description

changedetection.io is an open source web page change detection, website watcher, restock monitor and notification service. There is a Server Side Template Injection (SSTI) in Jinja2 that allows Remote Command Execution on the server host. Attackers can run any system command without any restriction and they could use a reverse shell. The impact is critical as the attacker can completely takeover the server machine. This can be reduced if changedetection is behind a login page, but this isn't required by the application (not by default and not enforced).

Classification

CVE ID: CVE-2024-32651

CVSS Base Severity: CRITICAL

CVSS Base Score: 10.0

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Affected Products

Vendor: dgtlmoon

Product: changedetection.io

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.07% (probability of being exploited)

EPSS Percentile: 31.97% (scored less or equal to compared to others)

EPSS Date: 2025-03-14 (when was this score calculated)

References

https://github.com/dgtlmoon/changedetection.io/security/advisories/GHSA-4r7v-whpg-8rx3
https://github.com/dgtlmoon/changedetection.io/releases/tag/0.45.21
https://www.onsecurity.io/blog/server-side-template-injection-with-jinja2
https://blog.hacktivesecurity.com/index.php/2024/05/08/cve-2024-32651-server-side-template-injection-changedetection-io/

Timeline

2025-02-14 00:31:56 UTC
CVE

Server Side Template Injection in Jinja2 allows Remote Command Execution