CVE-2024-32651

Name of the Vulnerable Software and Affected Versions changedetection.io version 0.45.20

Description The issue is a Server Side Template Injection (SSTI) in Jinja2 that allows Remote Command Execution on the server host. Attackers can run any system command without restriction and could use a reverse shell. The impact is critical as the attacker can completely take over the server machine. This can be reduced if changedetection is behind a login page, but this isn't required by the application.

Recommendations For version 0.45.20, consider protecting changedetection access with a login page and password to reduce the risk of exploitation. As a temporary workaround, restrict access to the vulnerable Jinja2 template engine until a patch is available. Avoid using the notification body and notification title parameters in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.