Cyber Resilience

CVE-2024-51483

Medium

Published: 01 November 2024

Published
01 November 2024
Modified
15 April 2026
KEV Added
Patch
CVSS Score v4 6.9 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.3909 97.4th percentile
Risk Priority 37 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-51483 is a medium-severity Path Traversal (CWE-22) vulnerability. Its CVSS base score is 6.9 (Medium).

Operationally, ranked in the top 2.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

changedetection.io is an open source web page change detection tool that supports multiple fetch methods including WebDriver-based retrieval. Prior to version 0.47.5 the application failed to sanitize source URLs supplied to the WebDriver processor, allowing an attacker to supply a value such as source:file:///etc/passwd that bypasses the normal file:// scheme block and reads arbitrary local files on the host running the changedetection service. The issue is tracked as CWE-22 and carries a CVSS 4.0 score of 6.9.

An unauthenticated remote attacker who can reach the changedetection.io web interface can create or modify a watch, supply the WebDriver source prefix, and retrieve sensitive files such as /etc/passwd or application configuration. Successful exploitation yields local file disclosure without requiring authentication or user interaction.

The project security advisory GHSA-cwgg-57xj-g77r and the accompanying patch release 0.47.5 address the flaw by tightening input validation inside the Watch model and processor initialization code. The EPSS score has remained flat at 0.39 with no material post-disclosure rise.

EU & UK References

Vulnerability details

changedetection.io is free, open source web page change detection software. Prior to version 0.47.5, when a WebDriver is used to fetch files, `source:file:///etc/passwd` can be used to retrieve local system files, where the more traditional `file:///etc/passwd` gets blocked. Version 0.47.5…

more

fixes the issue.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-22

Validates pathnames and filenames to prevent traversal outside intended directories.

References