.. / CVE-2024-32651

Exploit for Change Detection (changedetection.io) < 0.45.21 - Unauthenticated Remote Code Execution (CVE-2024-32651)

Description:

A Server Side Template Injection in changedetection.io caused by usage of unsafe functions of Jinja2 allows Remote Command Execution on the server host.

Affected Products:

Proof of Concept

PoC exploit

Nuclei Template

View the template here CVE-2024-32651.yaml

Validate with Nuclei

echo "$URL" | nuclei -t ~/nuclei-templates/http/cves/2024/CVE-2024-32651.yaml
Copy

References:

https://nvd.nist.gov/vuln/detail/CVE-2024-32651
https://github.com/dgtlmoon/changedetection.io/security/advisories/GHSA-4r7v-whpg-8rx3
https://github.com/dgtlmoon/changedetection.io/releases/tag/0.45.21
https://www.onsecurity.io/blog/server-side-template-injection-with-jinja2