changedetection.io is an open source web page change detection, website watcher, restock monitor and notification service. There is a Server Side Template Injection (SSTI) in Jinja2 that allows Remote Command Execution on the server host. Attackers can run any system command without any restriction and they could use a reverse shell. The impact is critical as the attacker can completely takeover the server machine. This can be reduced if changedetection is behind a login page, but this isn't required by the application (not by default and not enforced).
An attacker can inject a malicious payload into a Jinja2 template processed on the server side. The template engine executes the injected code in the server context without any restrictions, enabling the execution of arbitrary system commands. In this way, an attacker can establish a reverse connection (reverse shell), gaining interactive access to the server machine. By default, the application does not require authentication, making the vulnerability accessible to anyone without prior login.
An attacker can execute arbitrary system commands on the server without any restrictions and completely take control of the machine hosting the application. It is also possible to establish a reverse shell, which provides persistent, interactive access to the server environment.
changedetection.io should be updated to version 0.45.21 or later. Additionally, as a risk mitigation measure, it is recommended to secure access to the application by enforcing authentication (login page), which restricts access to vulnerable functionality — however, the vendor does not enforce this by default.
changedetection.io — versions before 0.45.21 (patch available in version 0.45.21 according to vendor references)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H