Homepage
About Snyk

Server-Side Template Injection Affecting changedetection.io package, versions [,0.45.21)

Severity

 Recommended
0.0
critical
0
10

CVSS assessment made by Snyk's Security Team

    Threat Intelligence

    Exploit Maturity
    Mature
    EPSS
    0.07% (31st percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk ID SNYK-PYTHON-CHANGEDETECTIONIO-6674055
  • published 26 Apr 2024
  • disclosed 26 Apr 2024
  • credit Edoardo Ottavianelli
Report a new vulnerability Found a mistake?

Introduced: 26 Apr 2024

CVE-2024-32651 Open this link in a new tab
CWE-1336 Open this link in a new tab

How to fix?

Upgrade changedetection.io to version 0.45.21 or higher.

Overview

changedetection.io is a Website change detection and monitoring service

Affected versions of this package are vulnerable to Server-Side Template Injection due to improper handling of template data. An attacker can execute arbitrary commands on the server by crafting malicious input that exploits the template rendering process.

Notes:

  1. This can be reduced if changedetection access is protected by login page with a password, but this isn't required by the application (not by default and not enforced).

2)This vulnerability is particularly severe as it allows for complete server takeover without any restrictions, such as running a reverse shell.

CVSS Scores

version 3.1
Expand this section

Snyk

Recommended
10 critical
  • Attack Vector (AV)
    Network
  • Attack Complexity (AC)
    Low
  • Privileges Required (PR)
    None
  • User Interaction (UI)
    None
  • Scope (S)
    Changed
  • Confidentiality (C)
    High
  • Integrity (I)
    High
  • Availability (A)
    High