Staging Environment: Content and features may be unstable or change without notice.
Search for packages
Package details: pkg:gem/camaleon_cms@2.8.1
purl pkg:gem/camaleon_cms@2.8.1
Next non-vulnerable version None.
Latest non-vulnerable version None.
Risk 10.0
Vulnerabilities affecting this package (4)
Vulnerability Summary Fixed by
VCID-5gks-ge3p-tya5
Aliases:
CVE-2025-2304
GHSA-rp28-mvq3-wf8j
A Privilege Escalation through a Mass Assignment exists in Camaleon CMS When a user wishes to change his password, the 'updated_ajax' method of the UsersController is called. The vulnerability stems from the use of the dangerous permit! method, which allows all parameters to pass through without any filtering.
2.9.1
Affected by 1 other vulnerability.
VCID-6vu4-jbn6-mqh9
Aliases:
CVE-2024-46986
GHSA-wmjg-vqhv-q5p5
Camaleon CMS is a dynamic and advanced content management system based on Ruby on Rails. An arbitrary file write vulnerability accessible via the upload method of the MediaController allows authenticated users to write arbitrary files to any location on the web server Camaleon CMS is running on (depending on the permissions of the underlying filesystem). E.g. This can lead to a delayed remote code execution in case an attacker is able to write a Ruby file into the config/initializers/ subfolder of the Ruby on Rails application. This issue has been addressed in release version 2.8.2. Users are advised to upgrade. There are no known workarounds for this vulnerability. There are no reported fixed by versions.
VCID-9wt5-cqus-d3bm
Aliases:
GHSA-75j2-9gmc-m855
Camaleon CMS vulnerable to stored XSS through user file upload (GHSL-2024-184)
2.8.2
Affected by 4 other vulnerabilities.
VCID-jcrg-ej53-zfeg
Aliases:
CVE-2026-1776
GHSA-jw5g-f64p-6x78
Camaleon CMS versions 2.4.5.0 through 2.9.0, prior to commit f54a77e, contain a path traversal vulnerability in the AWS S3 uploader implementation that allows authenticated users to read arbitrary files from the web server’s filesystem. The issue occurs in the download_private_file functionality when the application is configured to use the CamaleonCmsAwsUploader backend. Unlike the local uploader implementation, the AWS uploader does not validate file paths with valid_folder_path?, allowing directory traversal sequences to be supplied via the file parameter. As a result, any authenticated user, including low-privileged registered users, can access sensitive files such as /etc/passwd. This issue represents a bypass of the incomplete fix for CVE-2024-46987 and affects deployments using the AWS S3 storage backend. There are no reported fixed by versions.
Vulnerabilities fixed by this package (6)
Vulnerability Summary Aliases
VCID-5b2p-u2bg-h7dq Camaleon CMS vulnerable to stored XSS through user file upload (GHSL-2024-184) GHSA-r9cr-qmfw-pmrc
VCID-6vu4-jbn6-mqh9 Camaleon CMS is a dynamic and advanced content management system based on Ruby on Rails. An arbitrary file write vulnerability accessible via the upload method of the MediaController allows authenticated users to write arbitrary files to any location on the web server Camaleon CMS is running on (depending on the permissions of the underlying filesystem). E.g. This can lead to a delayed remote code execution in case an attacker is able to write a Ruby file into the config/initializers/ subfolder of the Ruby on Rails application. This issue has been addressed in release version 2.8.2. Users are advised to upgrade. There are no known workarounds for this vulnerability. CVE-2024-46986
GHSA-wmjg-vqhv-q5p5
VCID-9pwj-kwvj-rkdf Duplicate Advisory: Camaleon CMS vulnerable to remote code execution through code injection (GHSL-2024-185) GHSA-3hp8-6j24-m5gm
VCID-m6vs-j86s-dud3 Camaleon CMS vulnerable to remote code execution through code injection (GHSL-2024-185) GHSA-7x4w-cj9r-h4v9
VCID-s4kg-6wpn-fke4 Camaleon CMS vulnerable to stored XSS through user file upload (GHSL-2024-184) GHSA-8fx8-3rg2-79xw
VCID-v1vd-3v7v-8qht Camaleon CMS is a dynamic and advanced content management system based on Ruby on Rails. A path traversal vulnerability accessible via MediaController's download_private_file method allows authenticated users to download any file on the web server Camaleon CMS is running on (depending on the file permissions). This issue may lead to Information Disclosure. This issue has been addressed in release version 2.8.2. Users are advised to upgrade. There are no known workarounds for this vulnerability. CVE-2024-46987
GHSA-cp65-5m9r-vc2c

Date Actor Action Vulnerability Source VulnerableCode Version
2026-06-13T09:53:30.505489+00:00 GHSA Importer Affected by VCID-5gks-ge3p-tya5 https://github.com/advisories/GHSA-rp28-mvq3-wf8j 38.6.0
2026-06-13T09:27:42.574763+00:00 Ruby Importer Affected by VCID-jcrg-ej53-zfeg https://github.com/rubysec/ruby-advisory-db/blob/master/gems/camaleon_cms/CVE-2026-1776.yml 38.6.0
2026-06-13T09:26:19.375564+00:00 Ruby Importer Affected by VCID-5gks-ge3p-tya5 https://github.com/rubysec/ruby-advisory-db/blob/master/gems/camaleon_cms/CVE-2025-2304.yml 38.6.0
2026-06-13T09:25:18.443595+00:00 Ruby Importer Affected by VCID-9wt5-cqus-d3bm https://github.com/rubysec/ruby-advisory-db/blob/master/gems/camaleon_cms/GHSA-75j2-9gmc-m855.yml 38.6.0
2026-06-13T09:25:16.905960+00:00 Ruby Importer Fixing VCID-s4kg-6wpn-fke4 https://github.com/rubysec/ruby-advisory-db/blob/master/gems/camaleon_cms/GHSA-8fx8-3rg2-79xw.yml 38.6.0
2026-06-13T09:25:02.264223+00:00 Ruby Importer Fixing VCID-v1vd-3v7v-8qht https://github.com/rubysec/ruby-advisory-db/blob/master/gems/camaleon_cms/CVE-2024-46987.yml 38.6.0
2026-06-13T09:25:01.744718+00:00 Ruby Importer Fixing VCID-m6vs-j86s-dud3 https://github.com/rubysec/ruby-advisory-db/blob/master/gems/camaleon_cms/GHSA-7x4w-cj9r-h4v9.yml 38.6.0
2026-06-13T09:25:01.232792+00:00 Ruby Importer Affected by VCID-6vu4-jbn6-mqh9 https://github.com/rubysec/ruby-advisory-db/blob/master/gems/camaleon_cms/CVE-2024-46986.yml 38.6.0
2026-06-13T09:25:01.211919+00:00 Ruby Importer Fixing VCID-6vu4-jbn6-mqh9 https://github.com/rubysec/ruby-advisory-db/blob/master/gems/camaleon_cms/CVE-2024-46986.yml 38.6.0
2026-06-13T09:25:00.636721+00:00 Ruby Importer Fixing VCID-5b2p-u2bg-h7dq https://github.com/rubysec/ruby-advisory-db/blob/master/gems/camaleon_cms/GHSA-r9cr-qmfw-pmrc.yml 38.6.0
2026-06-12T21:21:24.610972+00:00 GitLab Importer Affected by VCID-jcrg-ej53-zfeg https://gitlab.com/gitlab-org/advisories-community/-/blob/main/gem/camaleon_cms/CVE-2026-1776.yml 38.6.0
2026-06-12T19:54:55.137987+00:00 GitLab Importer Affected by VCID-5gks-ge3p-tya5 https://gitlab.com/gitlab-org/advisories-community/-/blob/main/gem/camaleon_cms/CVE-2025-2304.yml 38.6.0
2026-06-12T19:41:19.711482+00:00 GitLab Importer Affected by VCID-9wt5-cqus-d3bm https://gitlab.com/gitlab-org/advisories-community/-/blob/main/gem/camaleon_cms/GHSA-75j2-9gmc-m855.yml 38.6.0
2026-06-12T19:40:59.293613+00:00 GitLab Importer Fixing VCID-s4kg-6wpn-fke4 https://gitlab.com/gitlab-org/advisories-community/-/blob/main/gem/camaleon_cms/GHSA-8fx8-3rg2-79xw.yml 38.6.0
2026-06-12T19:40:58.752602+00:00 GitLab Importer Fixing VCID-9pwj-kwvj-rkdf https://gitlab.com/gitlab-org/advisories-community/-/blob/main/gem/camaleon_cms/GHSA-3hp8-6j24-m5gm.yml 38.6.0
2026-06-12T19:40:33.659314+00:00 GitLab Importer Fixing VCID-m6vs-j86s-dud3 https://gitlab.com/gitlab-org/advisories-community/-/blob/main/gem/camaleon_cms/GHSA-7x4w-cj9r-h4v9.yml 38.6.0
2026-06-12T19:40:27.737760+00:00 GitLab Importer Fixing VCID-v1vd-3v7v-8qht https://gitlab.com/gitlab-org/advisories-community/-/blob/main/gem/camaleon_cms/CVE-2024-46987.yml 38.6.0
2026-06-12T19:40:25.241627+00:00 GitLab Importer Fixing VCID-5b2p-u2bg-h7dq https://gitlab.com/gitlab-org/advisories-community/-/blob/main/gem/camaleon_cms/GHSA-r9cr-qmfw-pmrc.yml 38.6.0
2026-06-12T19:40:23.174282+00:00 GitLab Importer Fixing VCID-6vu4-jbn6-mqh9 https://gitlab.com/gitlab-org/advisories-community/-/blob/main/gem/camaleon_cms/CVE-2024-46986.yml 38.6.0
2026-06-12T07:41:03.514851+00:00 GithubOSV Importer Fixing VCID-v1vd-3v7v-8qht https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/09/GHSA-cp65-5m9r-vc2c/GHSA-cp65-5m9r-vc2c.json 38.6.0
2026-06-12T07:41:03.017066+00:00 GithubOSV Importer Fixing VCID-m6vs-j86s-dud3 https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/09/GHSA-7x4w-cj9r-h4v9/GHSA-7x4w-cj9r-h4v9.json 38.6.0
2026-06-12T07:41:00.375059+00:00 GithubOSV Importer Fixing VCID-6vu4-jbn6-mqh9 https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/09/GHSA-wmjg-vqhv-q5p5/GHSA-wmjg-vqhv-q5p5.json 38.6.0
2026-06-12T07:40:56.872966+00:00 GithubOSV Importer Fixing VCID-5b2p-u2bg-h7dq https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/09/GHSA-r9cr-qmfw-pmrc/GHSA-r9cr-qmfw-pmrc.json 38.6.0
2026-06-12T07:40:51.143009+00:00 GithubOSV Importer Fixing VCID-s4kg-6wpn-fke4 https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/09/GHSA-8fx8-3rg2-79xw/GHSA-8fx8-3rg2-79xw.json 38.6.0
2026-06-12T07:40:50.975452+00:00 GithubOSV Importer Fixing VCID-9pwj-kwvj-rkdf https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/09/GHSA-3hp8-6j24-m5gm/GHSA-3hp8-6j24-m5gm.json 38.6.0
2026-06-11T20:36:04.401592+00:00 GHSA Importer Fixing VCID-s4kg-6wpn-fke4 https://github.com/advisories/GHSA-8fx8-3rg2-79xw 38.6.0
2026-06-11T20:36:04.372272+00:00 GHSA Importer Fixing VCID-9pwj-kwvj-rkdf https://github.com/advisories/GHSA-3hp8-6j24-m5gm 38.6.0
2026-06-11T20:36:01.827118+00:00 GHSA Importer Fixing VCID-m6vs-j86s-dud3 https://github.com/advisories/GHSA-7x4w-cj9r-h4v9 38.6.0
2026-06-11T20:36:01.794689+00:00 GHSA Importer Fixing VCID-5b2p-u2bg-h7dq https://github.com/advisories/GHSA-r9cr-qmfw-pmrc 38.6.0
2026-06-11T20:36:01.764041+00:00 GHSA Importer Fixing VCID-v1vd-3v7v-8qht https://github.com/advisories/GHSA-cp65-5m9r-vc2c 38.6.0
2026-06-11T20:36:01.655096+00:00 GHSA Importer Fixing VCID-6vu4-jbn6-mqh9 https://github.com/advisories/GHSA-wmjg-vqhv-q5p5 38.6.0