Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2024-32651
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗

Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.

Vulnerability Title
Server Side Template Injection in Jinja2 allows Remote Command Execution
Source: NVD (National Vulnerability Database)
Vulnerability Description
changedetection.io is an open source web page change detection, website watcher, restock monitor and notification service. There is a Server Side Template Injection (SSTI) in Jinja2 that allows Remote Command Execution on the server host. Attackers can run any system command without any restriction and they could use a reverse shell. The impact is critical as the attacker can completely takeover the server machine. This can be reduced if changedetection is behind a login page, but this isn't required by the application (not by default and not enforced).
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Source: NVD (National Vulnerability Database)
Vulnerability Type
CWE-1336
Source: NVD (National Vulnerability Database)
Vulnerability Title
ChangeDetection.io 安全漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
changedetection.io是dgtlmoon个人开发者的一个网站变更检测、监控和通知应用程序。 ChangeDetection.io 21.045之前版本存在安全漏洞,该漏洞源于使用 Jinja2 的不安全功能而导致服务器端模板注入,允许在服务器主机上执行远程命令。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
VendorProductAffected VersionsCPESubscribe
dgtlmoonchangedetection.io <= 0.45.20 -
II. Public POCs for CVE-2024-32651
#POC DescriptionSource LinkShenlong Link
1changedetection rce though sstihttps://github.com/zcrosman/cve-2024-32651POC Details
2Server-Side Template Injection Exploithttps://github.com/s0ck3t-s3c/CVE-2024-32651-changedetection-RCEPOC Details
3A Server Side Template Injection in changedetection.io caused by usage of unsafe functions of Jinja2 allows Remote Command Execution on the server host. https://github.com/projectdiscovery/nuclei-templates/blob/main/passive/cves/2024/CVE-2024-32651.yamlPOC Details
4A Server Side Template Injection in changedetection.io caused by usage of unsafe functions of Jinja2 allows Remote Command Execution on the server host. https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2024/CVE-2024-32651.yamlPOC Details
AI-Generated POCPremium

No public POC found.

Login to generate AI POC
III. Intelligence Information for CVE-2024-32651
Please Login to view more intelligence information
IV. Related Vulnerabilities
Same product: changedetection.io
Same vendor: dgtlmoon
Same weakness: CWE-1336
V. Comments for CVE-2024-32651

No comments yet

Leave a comment