Search for packages
| purl | pkg:gem/camaleon_cms@0.1.7 |
| Next non-vulnerable version | None. |
| Latest non-vulnerable version | None. |
| Risk | 4.5 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-698a-rmdd-vqhs
Aliases: CVE-2025-2304 GHSA-rp28-mvq3-wf8j |
Camaleon CMS Vulnerable to Privilege Escalation through a Mass Assignment A Privilege Escalation through a Mass Assignment exists in Camaleon CMS When a user wishes to change his password, the 'updated_ajax' method of the UsersController is called. The vulnerability stems from the use of the dangerous permit! method, which allows all parameters to pass through without any filtering. |
Affected by 1 other vulnerability. |
|
VCID-6xw2-ykvp-4qaw
Aliases: CVE-2021-25970 GHSA-438x-2p9v-g8h9 |
Insufficient Session Expiration Camaleon CMS to doesn’t terminate the active session of the users, even after the admin changes the user’s password. A user that was already logged in, will still have access to the application even after the password was changed. |
Affected by 3 other vulnerabilities. |
|
VCID-92b4-usmp-93bb
Aliases: CVE-2023-30145 GHSA-x487-866m-p8hr |
Server-Side Template Injection in Camaleon CMS Camaleon CMS v2.7.0 was discovered to contain a Server-Side Template Injection (SSTI) vulnerability via the formats parameter. |
Affected by 2 other vulnerabilities. Affected by 2 other vulnerabilities. |
|
VCID-b2rx-y3hz-63dx
Aliases: CVE-2021-25969 GHSA-x78v-4fvj-rg9j |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') In “Camaleon CMS” application to are vulnerable to stored XSS, that allows unprivileged application users to store malicious scripts in the comments section of the post. These scripts are executed in a victim’s browser when they open the page containing the malicious comment. |
Affected by 3 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| This package is not known to fix vulnerabilities. | ||