{"url":"http://public2.vulnerablecode.io/api/packages/171401?format=json","purl":"pkg:gem/camaleon_cms@2.6.4","type":"gem","namespace":"","name":"camaleon_cms","version":"2.6.4","qualifiers":{},"subpath":"","is_vulnerable":true,"next_non_vulnerable_version":null,"latest_non_vulnerable_version":null,"affected_by_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/51335?format=json","vulnerability_id":"VCID-698a-rmdd-vqhs","summary":"Camaleon CMS Vulnerable to Privilege Escalation through a Mass Assignment\nA Privilege Escalation through a Mass Assignment exists in Camaleon CMS\n\nWhen a user wishes to change his password, the 'updated_ajax' method\nof the UsersController is called. The vulnerability stems from the\nuse of the dangerous permit! method, which allows all parameters to\npass through without any filtering.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2025-2304","reference_id":"","reference_type":"","scores":[{"value":"0.00206","scoring_system":"epss","scoring_elements":"0.42974","published_at":"2026-06-08T12:55:00Z"},{"value":"0.00206","scoring_system":"epss","scoring_elements":"0.42985","published_at":"2026-06-09T12:55:00Z"},{"value":"0.00206","scoring_system":"epss","scoring_elements":"0.43022","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00206","scoring_system":"epss","scoring_elements":"0.4303","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00206","scoring_system":"epss","scoring_elements":"0.4301","published_at":"2026-06-07T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2025-2304"},{"reference_url":"https://github.com/advisories/GHSA-rp28-mvq3-wf8j","reference_id":"","reference_type":"","scores":[{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-rp28-mvq3-wf8j"},{"reference_url":"https://github.com/owen2345/camaleon-cms","reference_id":"","reference_type":"","scores":[{"value":"9.4","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2025-03-14T13:38:20Z/"}],"url":"https://github.com/owen2345/camaleon-cms"},{"reference_url":"https://github.com/owen2345/camaleon-cms/commit/179fd6b1ecf258d3e214aebfa87ac4a322ea4db4","reference_id":"","reference_type":"","scores":[{"value":"9.4","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/owen2345/camaleon-cms/commit/179fd6b1ecf258d3e214aebfa87ac4a322ea4db4"},{"reference_url":"https://github.com/owen2345/camaleon-cms/pull/1109","reference_id":"","reference_type":"","scores":[{"value":"9.4","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/owen2345/camaleon-cms/pull/1109"},{"reference_url":"https://github.com/owen2345/camaleon-cms/releases/tag/2.9.1","reference_id":"","reference_type":"","scores":[{"value":"9.4","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/owen2345/camaleon-cms/releases/tag/2.9.1"},{"reference_url":"https://www.tenable.com/security/research/tra-2025-09","reference_id":"","reference_type":"","scores":[{"value":"9.4","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2025-03-14T13:38:20Z/"}],"url":"https://www.tenable.com/security/research/tra-2025-09"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2025-2304","reference_id":"CVE-2025-2304","reference_type":"","scores":[{"value":"9.4","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-2304"},{"reference_url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/camaleon_cms/CVE-2025-2304.yml","reference_id":"CVE-2025-2304.YML","reference_type":"","scores":[{"value":"9.4","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/camaleon_cms/CVE-2025-2304.yml"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/74674?format=json","purl":"pkg:gem/camaleon_cms@2.9.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-y14c-1pts-fqcw"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/camaleon_cms@2.9.1"}],"aliases":["CVE-2025-2304","GHSA-rp28-mvq3-wf8j"],"risk_score":4.5,"exploitability":"0.5","weighted_severity":"9.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-698a-rmdd-vqhs"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/45285?format=json","vulnerability_id":"VCID-92b4-usmp-93bb","summary":"Server-Side Template Injection in Camaleon CMS\nCamaleon CMS v2.7.0 was discovered to contain a Server-Side Template Injection (SSTI) vulnerability via the formats parameter.","references":[{"reference_url":"http://packetstormsecurity.com/files/172593/Camaleon-CMS-2.7.0-Server-Side-Template-Injection.html","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3","scoring_elements":""},{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2025-01-16T16:18:04Z/"}],"url":"http://packetstormsecurity.com/files/172593/Camaleon-CMS-2.7.0-Server-Side-Template-Injection.html"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2023-30145","reference_id":"","reference_type":"","scores":[{"value":"0.53275","scoring_system":"epss","scoring_elements":"0.98029","published_at":"2026-06-09T12:55:00Z"},{"value":"0.53275","scoring_system":"epss","scoring_elements":"0.98028","published_at":"2026-06-05T12:55:00Z"},{"value":"0.53275","scoring_system":"epss","scoring_elements":"0.9803","published_at":"2026-06-07T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2023-30145"},{"reference_url":"https://book.hacktricks.xyz/pentesting-web/ssti-server-side-template-injection","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2025-01-16T16:18:04Z/"}],"url":"https://book.hacktricks.xyz/pentesting-web/ssti-server-side-template-injection"},{"reference_url":"https://drive.google.com/file/d/11MsSYqUnDRFjcwbQKJeL9Q8nWpgVYf2r/view?usp=share_link","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2025-01-16T16:18:04Z/"}],"url":"https://drive.google.com/file/d/11MsSYqUnDRFjcwbQKJeL9Q8nWpgVYf2r/view?usp=share_link"},{"reference_url":"https://github.com/owen2345/camaleon-cms","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/owen2345/camaleon-cms"},{"reference_url":"https://github.com/owen2345/camaleon-cms/commit/4485788c544eb1aae52ca613bd9626129e3df6ee","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/owen2345/camaleon-cms/commit/4485788c544eb1aae52ca613bd9626129e3df6ee"},{"reference_url":"https://github.com/owen2345/camaleon-cms/issues/1052","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/owen2345/camaleon-cms/issues/1052"},{"reference_url":"https://github.com/owen2345/camaleon-cms/releases/tag/2.7.4","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/owen2345/camaleon-cms/releases/tag/2.7.4"},{"reference_url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/camaleon_cms/CVE-2023-30145.yml","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/camaleon_cms/CVE-2023-30145.yml"},{"reference_url":"https://portswigger.net/research/server-side-template-injection","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2025-01-16T16:18:04Z/"}],"url":"https://portswigger.net/research/server-side-template-injection"},{"reference_url":"https://github.com/paragbagul111/CVE-2023-30145","reference_id":"CVE-2023-30145","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2025-01-16T16:18:04Z/"}],"url":"https://github.com/paragbagul111/CVE-2023-30145"},{"reference_url":"https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/ruby/webapps/51489.txt","reference_id":"CVE-2023-30145","reference_type":"exploit","scores":[],"url":"https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/ruby/webapps/51489.txt"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2023-30145","reference_id":"CVE-2023-30145","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-30145"},{"reference_url":"https://github.com/advisories/GHSA-x487-866m-p8hr","reference_id":"GHSA-x487-866m-p8hr","reference_type":"","scores":[{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-x487-866m-p8hr"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/65256?format=json","purl":"pkg:gem/camaleon_cms@2.7.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-698a-rmdd-vqhs"},{"vulnerability":"VCID-9556-6aap-r3e9"},{"vulnerability":"VCID-ajep-x2a9-wue7"},{"vulnerability":"VCID-asqb-44pf-dqea"},{"vulnerability":"VCID-d84g-tn4c-3kbz"},{"vulnerability":"VCID-payq-mjhf-fuax"},{"vulnerability":"VCID-qrwq-szbs-7uf8"},{"vulnerability":"VCID-y14c-1pts-fqcw"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/camaleon_cms@2.7.1"},{"url":"http://public2.vulnerablecode.io/api/packages/138796?format=json","purl":"pkg:gem/camaleon_cms@2.7.4","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-698a-rmdd-vqhs"},{"vulnerability":"VCID-9556-6aap-r3e9"},{"vulnerability":"VCID-ajep-x2a9-wue7"},{"vulnerability":"VCID-asqb-44pf-dqea"},{"vulnerability":"VCID-d84g-tn4c-3kbz"},{"vulnerability":"VCID-payq-mjhf-fuax"},{"vulnerability":"VCID-qrwq-szbs-7uf8"},{"vulnerability":"VCID-y14c-1pts-fqcw"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/camaleon_cms@2.7.4"}],"aliases":["CVE-2023-30145","GHSA-x487-866m-p8hr"],"risk_score":10.0,"exploitability":"2.0","weighted_severity":"9.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-92b4-usmp-93bb"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/51340?format=json","vulnerability_id":"VCID-9556-6aap-r3e9","summary":"Camaleon CMS vulnerable to arbitrary path traversal (GHSL-2024-183)\nA path traversal vulnerability accessible via MediaController's\ndownload_private_file method allows authenticated users to download\nany file on the web server Camaleon CMS is running on (depending\non the file permissions).\n\nIn the [download_private_file] method:\n\n```ruby\ndef download_private_file\n  cama_uploader.enable_private_mode!\n\n  file = cama_uploader.fetch_file(\"private/#{params[:file]}\")\n\n  send_file file, disposition: 'inline'\nend\n```\n\n[download_private_file]: https://github.com/owen2345/camaleon-cms/blob/feccb96e542319ed608acd3a16fa5d92f13ede67/app/controllers/camaleon_cms/admin/media_controller.rb#L28\n\nThe file parameter is passed to the [fetch_file] method of the\nCamaleonCmsLocalUploader class (when files are uploaded locally):\n\n```ruby\ndef fetch_file(file_name)\n  raise ActionController::RoutingError, 'File not found' unless file_exists?(file_name)\n\n  file_name\nend\n```\n\n[fetch_file]: https://github.com/owen2345/camaleon-cms/blob/feccb96e542319ed608acd3a16fa5d92f13ede67/app/uploaders/camaleon_cms_local_uploader.rb#L27\n\nIf the file exists it's passed back to the download_private_file method\nwhere the file is sent to the user via [send_file].\n\n[send_file]: https://github.com/owen2345/camaleon-cms/blob/feccb96e542319ed608acd3a16fa5d92f13ede67/app/controllers/camaleon_cms/admin/media_controller.rb#L33-L34\n\n## Proof of concept\n\nAn authenticated user can download the /etc/passwd file by visiting an URL such as:\n\n    https://<camaleon-host>/admin/media/download_private_file?file=../../../../../../etc/passwd\n\n## Impact\n\nThis issue may lead to Information Disclosure.\n\n## Remediation\n\nNormalize file paths constructed from untrusted user input before using\nthem and check that the resulting path is inside the targeted directory.\nAdditionally, do not allow character sequences such as `..` in untrusted\ninput that is used to build paths.\n\n## See Also\n\n* [CodeQL: Uncontrolled data used in path expression](https://codeql.github.com/codeql-query-help/ruby/rb-path-injection/)\n* [OWASP: Path Traversal](https://owasp.org/www-community/attacks/Path_Traversal)","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2024-46987","reference_id":"","reference_type":"","scores":[{"value":"0.44011","scoring_system":"epss","scoring_elements":"0.9761","published_at":"2026-06-05T12:55:00Z"},{"value":"0.44011","scoring_system":"epss","scoring_elements":"0.97614","published_at":"2026-06-09T12:55:00Z"},{"value":"0.44011","scoring_system":"epss","scoring_elements":"0.97613","published_at":"2026-06-08T12:55:00Z"},{"value":"0.44011","scoring_system":"epss","scoring_elements":"0.97612","published_at":"2026-06-07T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2024-46987"},{"reference_url":"https://codeql.github.com/codeql-query-help/ruby/rb-path-injection","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"},{"value":"7.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N"},{"value":"7.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-09-18T18:57:11Z/"}],"url":"https://codeql.github.com/codeql-query-help/ruby/rb-path-injection"},{"reference_url":"https://github.com/owen2345/camaleon-cms","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"},{"value":"7.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/owen2345/camaleon-cms"},{"reference_url":"https://github.com/owen2345/camaleon-cms/commit/071b1b09d6d61ab02a5960b1ccafd9d9c2155a3e","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"},{"value":"7.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/owen2345/camaleon-cms/commit/071b1b09d6d61ab02a5960b1ccafd9d9c2155a3e"},{"reference_url":"https://github.com/owen2345/camaleon-cms/security/advisories/GHSA-cp65-5m9r-vc2c","reference_id":"","reference_type":"","scores":[{"value":"7.7","scoring_system":"cvssv3","scoring_elements":""},{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"},{"value":"7.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"7.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-09-18T18:57:11Z/"}],"url":"https://github.com/owen2345/camaleon-cms/security/advisories/GHSA-cp65-5m9r-vc2c"},{"reference_url":"https://owasp.org/www-community/attacks/Path_Traversal","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"},{"value":"7.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N"},{"value":"7.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-09-18T18:57:11Z/"}],"url":"https://owasp.org/www-community/attacks/Path_Traversal"},{"reference_url":"https://securitylab.github.com/advisories/GHSL-2024-182_GHSL-2024-186_Camaleon_CMS","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"},{"value":"7.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N"},{"value":"7.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-09-18T18:57:11Z/"}],"url":"https://securitylab.github.com/advisories/GHSL-2024-182_GHSL-2024-186_Camaleon_CMS"},{"reference_url":"https://www.reddit.com/r/rails/comments/1exwtdm/camaleon_cms_281_has_been_released","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"},{"value":"7.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N"},{"value":"7.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-09-18T18:57:11Z/"}],"url":"https://www.reddit.com/r/rails/comments/1exwtdm/camaleon_cms_281_has_been_released"},{"reference_url":"https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/multiple/webapps/52531.py","reference_id":"CVE-2024-46987","reference_type":"exploit","scores":[],"url":"https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/multiple/webapps/52531.py"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2024-46987","reference_id":"CVE-2024-46987","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"},{"value":"7.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-46987"},{"reference_url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/camaleon_cms/CVE-2024-46987.yml","reference_id":"CVE-2024-46987.YML","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"},{"value":"7.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/camaleon_cms/CVE-2024-46987.yml"},{"reference_url":"https://github.com/advisories/GHSA-cp65-5m9r-vc2c","reference_id":"GHSA-cp65-5m9r-vc2c","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-cp65-5m9r-vc2c"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/82698?format=json","purl":"pkg:gem/camaleon_cms@2.8.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-698a-rmdd-vqhs"},{"vulnerability":"VCID-ajd5-fzcb-kkdn"},{"vulnerability":"VCID-y14c-1pts-fqcw"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/camaleon_cms@2.8.1"}],"aliases":["CVE-2024-46987","GHSA-cp65-5m9r-vc2c"],"risk_score":10.0,"exploitability":"2.0","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-9556-6aap-r3e9"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/51339?format=json","vulnerability_id":"VCID-ajep-x2a9-wue7","summary":"Camaleon CMS vulnerable to stored XSS through user file upload (GHSL-2024-184)\nA stored cross-site scripting has been found in the image upload\nfunctionality that can be used by normal registered users:\nIt is possible to upload a SVG image containing JavaScript and\nit's also possible to upload a HTML document when the format\nparameter is manually changed to [documents][1] or a string of an\n[unsupported format][2]. If an authenticated user or administrator\nvisits that uploaded image or document malicious JavaScript can be\nexecuted on their behalf\n(e.g. changing or deleting content inside of the CMS.)\n\n[1]: https://github.com/owen2345/camaleon-cms/blob/feccb96e542319ed608acd3a16fa5d92f13ede67/app/uploaders/camaleon_cms_uploader.rb#L105-L106\n[2]: https://github.com/owen2345/camaleon-cms/blob/feccb96e542319ed608acd3a16fa5d92f13ede67/app/uploaders/camaleon_cms_uploader.rb#L110-L111\n\n## Impact\n\nThis issue may lead to account takeover due to reflected\nCross-site scripting (XSS).\n\n## Remediation\n\nOnly allow the upload of safe files such as PNG, TXT and others\nor serve all \"unsafe\" files such as SVG and other files with a\ncontent-disposition: attachment header, which should prevent\nbrowsers from displaying them.\n\nAdditionally, a [Content security policy (CSP)][3]\ncan be created that disallows inlined script. (Other parts of the\napplication might need modification to continue functioning.)\n\n[3]: https://web.dev/articles/csp\n\nTo prevent the theft of the auth_token it could be marked with\nHttpOnly. This would however not prevent that actions could be\nperformed as the authenticated user/administrator. Furthermore,\nit could make sense to use the authentication provided by\nRuby on Rails, so that stolen tokens cannot be used anymore\nafter some time.","references":[{"reference_url":"https://github.com/owen2345/camaleon-cms","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"},{"value":"4.8","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/owen2345/camaleon-cms"},{"reference_url":"https://github.com/owen2345/camaleon-cms/commit/b18fbc74f3ecd98a1f781d015f5466ef16b1425b","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"},{"value":"4.8","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/owen2345/camaleon-cms/commit/b18fbc74f3ecd98a1f781d015f5466ef16b1425b"},{"reference_url":"https://github.com/owen2345/camaleon-cms/security/advisories/GHSA-r9cr-qmfw-pmrc","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3","scoring_elements":""},{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"4.8","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/owen2345/camaleon-cms/security/advisories/GHSA-r9cr-qmfw-pmrc"},{"reference_url":"https://github.com/advisories/GHSA-r9cr-qmfw-pmrc","reference_id":"GHSA-r9cr-qmfw-pmrc","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-r9cr-qmfw-pmrc"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/82698?format=json","purl":"pkg:gem/camaleon_cms@2.8.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-698a-rmdd-vqhs"},{"vulnerability":"VCID-ajd5-fzcb-kkdn"},{"vulnerability":"VCID-y14c-1pts-fqcw"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/camaleon_cms@2.8.1"}],"aliases":["GHSA-r9cr-qmfw-pmrc"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-ajep-x2a9-wue7"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/55881?format=json","vulnerability_id":"VCID-asqb-44pf-dqea","summary":"Duplicate Advisory: Camaleon CMS vulnerable to remote code execution through code injection (GHSL-2024-185)\n# Duplicate Advisory\nThis advisory has been withdrawn because it is a duplicate of GHSA-7x4w-cj9r-h4v9. This link is maintained to preserve external references.","references":[{"reference_url":"https://github.com/owen2345/camaleon-cms","reference_id":"","reference_type":"","scores":[{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/owen2345/camaleon-cms"},{"reference_url":"https://github.com/owen2345/camaleon-cms/security/advisories/GHSA-7x4w-cj9r-h4v9","reference_id":"","reference_type":"","scores":[{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/owen2345/camaleon-cms/security/advisories/GHSA-7x4w-cj9r-h4v9"},{"reference_url":"https://github.com/advisories/GHSA-3hp8-6j24-m5gm","reference_id":"GHSA-3hp8-6j24-m5gm","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-3hp8-6j24-m5gm"},{"reference_url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/camaleon_cms/GHSA-7x4w-cj9r-h4v9.yml","reference_id":"GHSA-7x4w-cj9r-h4v9.yml","reference_type":"","scores":[{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/camaleon_cms/GHSA-7x4w-cj9r-h4v9.yml"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/82698?format=json","purl":"pkg:gem/camaleon_cms@2.8.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-698a-rmdd-vqhs"},{"vulnerability":"VCID-ajd5-fzcb-kkdn"},{"vulnerability":"VCID-y14c-1pts-fqcw"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/camaleon_cms@2.8.1"}],"aliases":["GHSA-3hp8-6j24-m5gm"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-asqb-44pf-dqea"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/51333?format=json","vulnerability_id":"VCID-d84g-tn4c-3kbz","summary":"Camaleon CMS vulnerable to stored XSS through user file upload (GHSL-2024-184)\nA stored cross-site scripting has been found in the image upload\nfunctionality that can be used by normal registered users:\nIt is possible to upload a SVG image containing JavaScript and\nit's also possible to upload a HTML document when the format\nparameter is manually changed to [documents][1] or a string of\nan [unsupported format][2]. If an authenticated user or administrator\nvisits that uploaded image or document malicious JavaScript can\nbe executed on their behalf (e.g. changing or deleting content\ninside of the CMS.)\n\n[1]: https://github.com/owen2345/camaleon-cms/blob/feccb96e542319ed608acd3a16fa5d92f13ede67/app/uploaders/camaleon_cms_uploader.rb#L105-L106\n[2]: https://github.com/owen2345/camaleon-cms/blob/feccb96e542319ed608acd3a16fa5d92f13ede67/app/uploaders/camaleon_cms_uploader.rb#L110-L111\n\n## Impact\n\nThis issue may lead to account takeover due to reflected\nCross-site scripting (XSS).\n\n## Remediation\n\nOnly allow the upload of safe files such as PNG, TXT and others\nor serve all \"unsafe\" files such as SVG and other files with a\ncontent-disposition: attachment header, which should prevent\nbrowsers from displaying them.\n\nAdditionally, a [Content security policy (CSP)][3] can be created\nthat disallows inlined script. (Other parts of the application\nmight need modification to continue functioning.)\n\n[3]: https://web.dev/articles/csp\n\nTo prevent the theft of the auth_token it could be marked with\nHttpOnly. This would however not prevent that actions could be\nperformed as the authenticated user/administrator. Furthermore,\nit could make sense to use the authentication provided by\nRuby on Rails, so that stolen tokens cannot be used anymore\nafter some time.","references":[{"reference_url":"https://github.com/owen2345/camaleon-cms","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"},{"value":"4.8","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/owen2345/camaleon-cms"},{"reference_url":"https://github.com/owen2345/camaleon-cms/security/advisories/GHSA-r9cr-qmfw-pmrc","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3","scoring_elements":""},{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"},{"value":"4.8","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/owen2345/camaleon-cms/security/advisories/GHSA-r9cr-qmfw-pmrc"},{"reference_url":"https://github.com/advisories/GHSA-8fx8-3rg2-79xw","reference_id":"GHSA-8fx8-3rg2-79xw","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-8fx8-3rg2-79xw"},{"reference_url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/camaleon_cms/GHSA-r9cr-qmfw-pmrc.yml","reference_id":"GHSA-r9cr-qmfw-pmrc.yml","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"},{"value":"4.8","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/camaleon_cms/GHSA-r9cr-qmfw-pmrc.yml"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/82698?format=json","purl":"pkg:gem/camaleon_cms@2.8.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-698a-rmdd-vqhs"},{"vulnerability":"VCID-ajd5-fzcb-kkdn"},{"vulnerability":"VCID-y14c-1pts-fqcw"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/camaleon_cms@2.8.1"}],"aliases":["GHSA-8fx8-3rg2-79xw"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-d84g-tn4c-3kbz"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/51332?format=json","vulnerability_id":"VCID-payq-mjhf-fuax","summary":"Camaleon CMS vulnerable to remote code execution through code injection (GHSL-2024-185)\nThe [actions](https://github.com/owen2345/camaleon-cms/blob/feccb96e542319ed608acd3a16fa5d92f13ede67/app/controllers/camaleon_cms/admin/media_controller.rb#L51-L52)\ndefined inside of the MediaController class do not check whether a\ngiven path is inside a certain path (e.g. inside the media folder).\nIf an attacker performed an account takeover of an administrator\naccount (See: GHSL-2024-184) they could delete arbitrary files or\nfolders on the server hosting Camaleon CMS. The\n[crop_url](https://github.com/owen2345/camaleon-cms/blob/feccb96e542319ed608acd3a16fa5d92f13ede67/app/controllers/camaleon_cms/admin/media_controller.rb#L64-L65)\naction might make arbitrary file writes (similar impact to GHSL-2024-182)\nfor any authenticated user possible, but it doesn't seem to work currently.\n\nArbitrary file deletion can be exploited with following code path:\nThe parameter folder flows from the actions method:\n```ruby\n  def actions\n    authorize! :manage, :media if params[:media_action] != 'crop_url'\n    params[:folder] = params[:folder].gsub('//', '/') if params[:folder].present?\n    case params[:media_action]\n    [..]\n    when 'del_file'\n      cama_uploader.delete_file(params[:folder].gsub('//', '/'))\n      render plain: ''\n```\ninto the method delete_file of the CamaleonCmsLocalUploader\nclass (when files are uploaded locally):\n```ruby\ndef delete_file(key)\n  file = File.join(@root_folder, key)\n  FileUtils.rm(file) if File.exist? file\n  @instance.hooks_run('after_delete', key)\n  get_media_collection.find_by_key(key).take.destroy\nend\n```\nWhere it is joined in an unchecked manner with the root folder and\nthen deleted.\n\n**Proof of concept**\nThe following request would delete the file README.md in the top\nfolder of the Ruby on Rails application. (The values for auth_token,\nX-CSRF-Token and _cms_session would also need to be replaced with\nauthenticated values in the curl command below)\n```\ncurl --path-as-is -i -s -k -X $'POST' \\\n    -H $'X-CSRF-Token: [..]' -H $'User-Agent: Mozilla/5.0' -H $'Content-Type: application/x-www-form-urlencoded; charset=UTF-8' -H $'Accept: */*' -H $'Connection: keep-alive' \\\n    -b $'auth_token=[..]; _cms_session=[..]' \\\n    --data-binary $'versions=&thumb_size=&formats=&media_formats=&dimension=&private=&folder=..\n2F..\n2F..\n2FREADME.md&media_action=del_file' \\\n    $'https://<camaleon-host>/admin/media/actions?actions=true'\n```\n\n**Impact**\n\nThis issue may lead to a defective CMS or system.\n\n**Remediation**\n\nNormalize all file paths constructed from untrusted user input\nbefore using them and check that the resulting path is inside the\ntargeted directory. Additionally, do not allow character sequences\nsuch as .. in untrusted input that is used to build paths.\n\n**See also:**\n\n[CodeQL: Uncontrolled data used in path expression](https://codeql.github.com/codeql-query-help/ruby/rb-path-injection/)\n[OWASP: Path Traversal](https://owasp.org/www-community/attacks/Path_Traversal)","references":[{"reference_url":"https://github.com/owen2345/camaleon-cms","reference_id":"","reference_type":"","scores":[{"value":"7.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H"},{"value":"8.6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/owen2345/camaleon-cms"},{"reference_url":"https://github.com/owen2345/camaleon-cms/commit/f5d032549fa0a204d06e738caf2663607967dee2","reference_id":"","reference_type":"","scores":[{"value":"7.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H"},{"value":"8.6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/owen2345/camaleon-cms/commit/f5d032549fa0a204d06e738caf2663607967dee2"},{"reference_url":"https://github.com/owen2345/camaleon-cms/security/advisories/GHSA-7x4w-cj9r-h4v9","reference_id":"","reference_type":"","scores":[{"value":"7.2","scoring_system":"cvssv3","scoring_elements":""},{"value":"7.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"8.6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/owen2345/camaleon-cms/security/advisories/GHSA-7x4w-cj9r-h4v9"},{"reference_url":"https://github.com/advisories/GHSA-7x4w-cj9r-h4v9","reference_id":"GHSA-7x4w-cj9r-h4v9","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-7x4w-cj9r-h4v9"},{"reference_url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/camaleon_cms/GHSA-7x4w-cj9r-h4v9.yml","reference_id":"GHSA-7x4w-cj9r-h4v9.yml","reference_type":"","scores":[{"value":"7.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H"},{"value":"8.6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/camaleon_cms/GHSA-7x4w-cj9r-h4v9.yml"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/82698?format=json","purl":"pkg:gem/camaleon_cms@2.8.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-698a-rmdd-vqhs"},{"vulnerability":"VCID-ajd5-fzcb-kkdn"},{"vulnerability":"VCID-y14c-1pts-fqcw"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/camaleon_cms@2.8.1"}],"aliases":["GHSA-7x4w-cj9r-h4v9"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-payq-mjhf-fuax"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/51336?format=json","vulnerability_id":"VCID-qrwq-szbs-7uf8","summary":"camaleon_cms affected by cross site scripting\nCross Site Scripting vulnerability in camaleon-cms v.2.7.5 allows\nremote attacker to execute arbitrary code via the content group\nname field.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2024-48652","reference_id":"","reference_type":"","scores":[{"value":"0.3484","scoring_system":"epss","scoring_elements":"0.97113","published_at":"2026-06-05T12:55:00Z"},{"value":"0.3484","scoring_system":"epss","scoring_elements":"0.97119","published_at":"2026-06-09T12:55:00Z"},{"value":"0.3484","scoring_system":"epss","scoring_elements":"0.97116","published_at":"2026-06-08T12:55:00Z"},{"value":"0.3484","scoring_system":"epss","scoring_elements":"0.97114","published_at":"2026-06-06T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2024-48652"},{"reference_url":"https://github.com/owen2345/camaleon-cms","reference_id":"","reference_type":"","scores":[{"value":"4.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N"},{"value":"4.8","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/owen2345/camaleon-cms"},{"reference_url":"https://github.com/paragbagul111/CVE-2024-48652","reference_id":"","reference_type":"","scores":[{"value":"4.8","scoring_system":"cvssv3","scoring_elements":""},{"value":"4.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N"},{"value":"4.8","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/paragbagul111/CVE-2024-48652"},{"reference_url":"https://github.com/paragbagul111/CVE-2024-48652/","reference_id":"CVE-2024-48652","reference_type":"","scores":[{"value":"4.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-10-23T15:51:14Z/"}],"url":"https://github.com/paragbagul111/CVE-2024-48652/"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2024-48652","reference_id":"CVE-2024-48652","reference_type":"","scores":[{"value":"4.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N"},{"value":"4.8","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-48652"},{"reference_url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/camaleon_cms/CVE-2024-48652.yml","reference_id":"CVE-2024-48652.YML","reference_type":"","scores":[{"value":"4.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N"},{"value":"4.8","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/camaleon_cms/CVE-2024-48652.yml"},{"reference_url":"https://github.com/advisories/GHSA-hhxg-rvc9-8726","reference_id":"GHSA-hhxg-rvc9-8726","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-hhxg-rvc9-8726"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/75427?format=json","purl":"pkg:gem/camaleon_cms@2.8.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-698a-rmdd-vqhs"},{"vulnerability":"VCID-9556-6aap-r3e9"},{"vulnerability":"VCID-ajd5-fzcb-kkdn"},{"vulnerability":"VCID-ajep-x2a9-wue7"},{"vulnerability":"VCID-asqb-44pf-dqea"},{"vulnerability":"VCID-d84g-tn4c-3kbz"},{"vulnerability":"VCID-payq-mjhf-fuax"},{"vulnerability":"VCID-t7wx-h4uj-gqgv"},{"vulnerability":"VCID-y14c-1pts-fqcw"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/camaleon_cms@2.8.0"}],"aliases":["CVE-2024-48652","GHSA-hhxg-rvc9-8726"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-qrwq-szbs-7uf8"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/50825?format=json","vulnerability_id":"VCID-y14c-1pts-fqcw","summary":"Camaleon CMS vulnerable to Path Traversal through AWS S3 uploader implementation\nCamaleon CMS versions 2.4.5.0 through 2.9.1, prior to commit f54a77e, contain a path traversal vulnerability in the AWS S3 uploader implementation that allows authenticated users to read arbitrary files from the web server’s filesystem. The issue occurs in the download_private_file functionality when the application is configured to use the CamaleonCmsAwsUploader backend. Unlike the local uploader implementation, the AWS uploader does not validate file paths with valid_folder_path?, allowing directory traversal sequences to be supplied via the file parameter. As a result, any authenticated user, including low-privileged registered users, can access sensitive files such as /etc/passwd. This issue represents a bypass of the incomplete fix for CVE-2024-46987 and affects deployments using the AWS S3 storage backend.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-1776","reference_id":"","reference_type":"","scores":[{"value":"0.00076","scoring_system":"epss","scoring_elements":"0.22888","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00076","scoring_system":"epss","scoring_elements":"0.22948","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00076","scoring_system":"epss","scoring_elements":"0.22932","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00076","scoring_system":"epss","scoring_elements":"0.2284","published_at":"2026-06-09T12:55:00Z"},{"value":"0.00076","scoring_system":"epss","scoring_elements":"0.22836","published_at":"2026-06-08T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-1776"},{"reference_url":"https://camaleon.website","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"},{"value":"6.0","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://camaleon.website"},{"reference_url":"https://github.com/owen2345/camaleon-cms","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"},{"value":"6.0","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/owen2345/camaleon-cms"},{"reference_url":"https://github.com/owen2345/camaleon-cms/commit/f54a77e2a7be601215ea1b396038c589a0cab9af","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"},{"value":"6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"6.0","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-10T14:57:09Z/"}],"url":"https://github.com/owen2345/camaleon-cms/commit/f54a77e2a7be601215ea1b396038c589a0cab9af"},{"reference_url":"https://github.com/owen2345/camaleon-cms/pull/1127","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"},{"value":"6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"6.0","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-10T14:57:09Z/"}],"url":"https://github.com/owen2345/camaleon-cms/pull/1127"},{"reference_url":"https://www.vulncheck.com/advisories/camaleon-cms-aws-uploader-authenticated-path-traversal-arbitrary-file-read","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"},{"value":"6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"6.0","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-10T14:57:09Z/"}],"url":"https://www.vulncheck.com/advisories/camaleon-cms-aws-uploader-authenticated-path-traversal-arbitrary-file-read"},{"reference_url":"https://camaleon.website/","reference_id":"camaleon.website","reference_type":"","scores":[{"value":"6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-10T14:57:09Z/"}],"url":"https://camaleon.website/"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-1776","reference_id":"CVE-2026-1776","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3","scoring_elements":""},{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"},{"value":"6.0","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-1776"},{"reference_url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/camaleon_cms/CVE-2026-1776.yml","reference_id":"CVE-2026-1776.YML","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"},{"value":"6.0","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/camaleon_cms/CVE-2026-1776.yml"},{"reference_url":"https://github.com/advisories/GHSA-jw5g-f64p-6x78","reference_id":"GHSA-jw5g-f64p-6x78","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-jw5g-f64p-6x78"}],"fixed_packages":[],"aliases":["CVE-2026-1776","GHSA-jw5g-f64p-6x78"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-y14c-1pts-fqcw"}],"fixing_vulnerabilities":[],"risk_score":"10.0","resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/camaleon_cms@2.6.4"}