cbcvebase.
CVE-2024-32651
published 2024-04-26

CVE-2024-32651: changedetection.io is an open source web page change detection, website watcher, restock monitor and notification service. There is a Server Side Template…

PriorityP185critical10CVSS 3.1
AVNACLPRNUINSCCHIHAH
EXPLOIT
EPSS
83.72%
99.7th percentile
changedetection.io is an open source web page change detection, website watcher, restock monitor and notification service. There is a Server Side Template Injection (SSTI) in Jinja2 that allows Remote Command Execution on the server host. Attackers can run any system command without any restriction and they could use a reverse shell. The impact is critical as the attacker can completely takeover the server machine. This can be reduced if changedetection is behind a login page, but this isn't required by the application (not by default and not enforced).

Affected

2 ranges
VendorProductVersion rangeFixed in
dgtlmoonchangedetection.io<= 0.45.20
dgtlmoonchangedetection.io>= 0 < 0.45.210.45.21

Detection & IOCsextracted from sources · hover to see the quote

othercompare_versions(version, '<= 0.45.20')
otherhtml:"Change Detection"
sigma
Nuclei Template CVE-2024-32651: GET {{RootURL}}/ with xpath extractor on //*[@id="right-sticky"], match body word 'Change Detection', status 200, version <= 0.45.20
  • Vulnerable versions of changedetection.io are 0.45.20 and below; upgrade to 0.45.21 or later to remediate the SSTI RCE.
  • Identify exposed changedetection.io instances via Shodan using the query html:"Change Detection" as a pre-exploitation reconnaissance indicator.
  • The SSTI payload is injected via Jinja2 unsafe functions; monitor for template injection patterns (e.g., {{...}} or {%...%} in user-controlled inputs) reaching the changedetection.io application.
  • Attackers can leverage the SSTI to spawn a reverse shell; monitor for unexpected outbound connections and shell process spawning from the changedetection.io process.
  • The vulnerability is exploitable without authentication by default; prioritize detection on internet-facing changedetection.io deployments not protected by a login page.
  • Detection probe: HTTP GET to the root path '/' of a changedetection.io instance; presence of 'Change Detection' in the response body combined with version <= 0.45.20 (extracted from XPath //*[@id="right-sticky"]) confirms a vulnerable target.
  • ·The EPSS score is extremely high (0.92455, 99.73rd percentile), indicating this vulnerability is very likely being actively exploited in the wild; treat as high-priority.
  • ·The vulnerability has a CVSS score of 10 (maximum) with network attack vector, no privileges required, and no user interaction; scope is changed with high impact on confidentiality, integrity, and availability.
  • ·Authentication is not enforced by default in changedetection.io; placing the application behind a login page reduces but does not eliminate risk.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.