{"url":"http://public2.vulnerablecode.io/api/packages/59333?format=json","purl":"pkg:gem/camaleon_cms@2.6.0","type":"gem","namespace":"","name":"camaleon_cms","version":"2.6.0","qualifiers":{},"subpath":"","is_vulnerable":true,"next_non_vulnerable_version":null,"latest_non_vulnerable_version":null,"affected_by_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/51335?format=json","vulnerability_id":"VCID-698a-rmdd-vqhs","summary":"Camaleon CMS Vulnerable to Privilege Escalation through a Mass Assignment\nA Privilege Escalation through a Mass Assignment exists in Camaleon CMS\n\nWhen a user wishes to change his password, the 'updated_ajax' method\nof the UsersController is called. The vulnerability stems from the\nuse of the dangerous permit! method, which allows all parameters to\npass through without any filtering.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2025-2304","reference_id":"","reference_type":"","scores":[{"value":"0.00206","scoring_system":"epss","scoring_elements":"0.43022","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2025-2304"},{"reference_url":"https://github.com/advisories/GHSA-rp28-mvq3-wf8j","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-rp28-mvq3-wf8j"},{"reference_url":"https://github.com/owen2345/camaleon-cms","reference_id":"","reference_type":"","scores":[{"value":"9.4","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2025-03-14T13:38:20Z/"}],"url":"https://github.com/owen2345/camaleon-cms"},{"reference_url":"https://github.com/owen2345/camaleon-cms/commit/179fd6b1ecf258d3e214aebfa87ac4a322ea4db4","reference_id":"","reference_type":"","scores":[{"value":"9.4","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/owen2345/camaleon-cms/commit/179fd6b1ecf258d3e214aebfa87ac4a322ea4db4"},{"reference_url":"https://github.com/owen2345/camaleon-cms/pull/1109","reference_id":"","reference_type":"","scores":[{"value":"9.4","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/owen2345/camaleon-cms/pull/1109"},{"reference_url":"https://github.com/owen2345/camaleon-cms/releases/tag/2.9.1","reference_id":"","reference_type":"","scores":[{"value":"9.4","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/owen2345/camaleon-cms/releases/tag/2.9.1"},{"reference_url":"https://www.tenable.com/security/research/tra-2025-09","reference_id":"","reference_type":"","scores":[{"value":"9.4","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2025-03-14T13:38:20Z/"}],"url":"https://www.tenable.com/security/research/tra-2025-09"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2025-2304","reference_id":"CVE-2025-2304","reference_type":"","scores":[{"value":"9.4","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-2304"},{"reference_url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/camaleon_cms/CVE-2025-2304.yml","reference_id":"CVE-2025-2304.YML","reference_type":"","scores":[{"value":"9.4","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/camaleon_cms/CVE-2025-2304.yml"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/74674?format=json","purl":"pkg:gem/camaleon_cms@2.9.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-y14c-1pts-fqcw"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/camaleon_cms@2.9.1"}],"aliases":["CVE-2025-2304","GHSA-rp28-mvq3-wf8j"],"risk_score":4.5,"exploitability":"0.5","weighted_severity":"9.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-698a-rmdd-vqhs"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/41617?format=json","vulnerability_id":"VCID-6xw2-ykvp-4qaw","summary":"Insufficient Session Expiration\nCamaleon CMS to doesn’t terminate the active session of the users, even after the admin changes the user’s password. A user that was already logged in, will still have access to the application even after the password was changed.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2021-25970","reference_id":"","reference_type":"","scores":[{"value":"0.00409","scoring_system":"epss","scoring_elements":"0.61653","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00409","scoring_system":"epss","scoring_elements":"0.61605","published_at":"2026-06-04T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2021-25970"},{"reference_url":"https://github.com/owen2345/camaleon-cms","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/owen2345/camaleon-cms"},{"reference_url":"https://github.com/owen2345/camaleon-cms/commit/77e31bc6cdde7c951fba104aebcd5ebb3f02b030","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3","scoring_elements":""},{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2025-04-30T15:50:14Z/"}],"url":"https://github.com/owen2345/camaleon-cms/commit/77e31bc6cdde7c951fba104aebcd5ebb3f02b030"},{"reference_url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/camaleon_cms/CVE-2021-25970.yml","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/camaleon_cms/CVE-2021-25970.yml"},{"reference_url":"https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-25970","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2025-04-30T15:50:14Z/"}],"url":"https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-25970"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2021-25970","reference_id":"CVE-2021-25970","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2021-25970"},{"reference_url":"https://github.com/advisories/GHSA-438x-2p9v-g8h9","reference_id":"GHSA-438x-2p9v-g8h9","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-438x-2p9v-g8h9"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/59334?format=json","purl":"pkg:gem/camaleon_cms@2.6.0.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-698a-rmdd-vqhs"},{"vulnerability":"VCID-92b4-usmp-93bb"},{"vulnerability":"VCID-9556-6aap-r3e9"},{"vulnerability":"VCID-ajep-x2a9-wue7"},{"vulnerability":"VCID-asqb-44pf-dqea"},{"vulnerability":"VCID-d84g-tn4c-3kbz"},{"vulnerability":"VCID-payq-mjhf-fuax"},{"vulnerability":"VCID-qrwq-szbs-7uf8"},{"vulnerability":"VCID-y14c-1pts-fqcw"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/camaleon_cms@2.6.0.1"}],"aliases":["CVE-2021-25970","GHSA-438x-2p9v-g8h9"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-6xw2-ykvp-4qaw"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/45285?format=json","vulnerability_id":"VCID-92b4-usmp-93bb","summary":"Server-Side Template Injection in Camaleon CMS\nCamaleon CMS v2.7.0 was discovered to contain a Server-Side Template Injection (SSTI) vulnerability via the formats parameter.","references":[{"reference_url":"http://packetstormsecurity.com/files/172593/Camaleon-CMS-2.7.0-Server-Side-Template-Injection.html","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3","scoring_elements":""},{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2025-01-16T16:18:04Z/"}],"url":"http://packetstormsecurity.com/files/172593/Camaleon-CMS-2.7.0-Server-Side-Template-Injection.html"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2023-30145","reference_id":"","reference_type":"","scores":[{"value":"0.53275","scoring_system":"epss","scoring_elements":"0.98028","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2023-30145"},{"reference_url":"https://book.hacktricks.xyz/pentesting-web/ssti-server-side-template-injection","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2025-01-16T16:18:04Z/"}],"url":"https://book.hacktricks.xyz/pentesting-web/ssti-server-side-template-injection"},{"reference_url":"https://drive.google.com/file/d/11MsSYqUnDRFjcwbQKJeL9Q8nWpgVYf2r/view?usp=share_link","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2025-01-16T16:18:04Z/"}],"url":"https://drive.google.com/file/d/11MsSYqUnDRFjcwbQKJeL9Q8nWpgVYf2r/view?usp=share_link"},{"reference_url":"https://github.com/owen2345/camaleon-cms","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/owen2345/camaleon-cms"},{"reference_url":"https://github.com/owen2345/camaleon-cms/commit/4485788c544eb1aae52ca613bd9626129e3df6ee","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/owen2345/camaleon-cms/commit/4485788c544eb1aae52ca613bd9626129e3df6ee"},{"reference_url":"https://github.com/owen2345/camaleon-cms/issues/1052","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/owen2345/camaleon-cms/issues/1052"},{"reference_url":"https://github.com/owen2345/camaleon-cms/releases/tag/2.7.4","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/owen2345/camaleon-cms/releases/tag/2.7.4"},{"reference_url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/camaleon_cms/CVE-2023-30145.yml","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/camaleon_cms/CVE-2023-30145.yml"},{"reference_url":"https://portswigger.net/research/server-side-template-injection","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2025-01-16T16:18:04Z/"}],"url":"https://portswigger.net/research/server-side-template-injection"},{"reference_url":"https://github.com/paragbagul111/CVE-2023-30145","reference_id":"CVE-2023-30145","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2025-01-16T16:18:04Z/"}],"url":"https://github.com/paragbagul111/CVE-2023-30145"},{"reference_url":"https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/ruby/webapps/51489.txt","reference_id":"CVE-2023-30145","reference_type":"exploit","scores":[],"url":"https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/ruby/webapps/51489.txt"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2023-30145","reference_id":"CVE-2023-30145","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-30145"},{"reference_url":"https://github.com/advisories/GHSA-x487-866m-p8hr","reference_id":"GHSA-x487-866m-p8hr","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-x487-866m-p8hr"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/65256?format=json","purl":"pkg:gem/camaleon_cms@2.7.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-698a-rmdd-vqhs"},{"vulnerability":"VCID-9556-6aap-r3e9"},{"vulnerability":"VCID-ajep-x2a9-wue7"},{"vulnerability":"VCID-asqb-44pf-dqea"},{"vulnerability":"VCID-d84g-tn4c-3kbz"},{"vulnerability":"VCID-payq-mjhf-fuax"},{"vulnerability":"VCID-qrwq-szbs-7uf8"},{"vulnerability":"VCID-y14c-1pts-fqcw"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/camaleon_cms@2.7.1"},{"url":"http://public2.vulnerablecode.io/api/packages/138796?format=json","purl":"pkg:gem/camaleon_cms@2.7.4","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-698a-rmdd-vqhs"},{"vulnerability":"VCID-9556-6aap-r3e9"},{"vulnerability":"VCID-ajep-x2a9-wue7"},{"vulnerability":"VCID-asqb-44pf-dqea"},{"vulnerability":"VCID-d84g-tn4c-3kbz"},{"vulnerability":"VCID-payq-mjhf-fuax"},{"vulnerability":"VCID-qrwq-szbs-7uf8"},{"vulnerability":"VCID-y14c-1pts-fqcw"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/camaleon_cms@2.7.4"}],"aliases":["CVE-2023-30145","GHSA-x487-866m-p8hr"],"risk_score":10.0,"exploitability":"2.0","weighted_severity":"9.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-92b4-usmp-93bb"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/51340?format=json","vulnerability_id":"VCID-9556-6aap-r3e9","summary":"Camaleon CMS vulnerable to arbitrary path traversal (GHSL-2024-183)\nA path traversal vulnerability accessible via MediaController's\ndownload_private_file method allows authenticated users to download\nany file on the web server Camaleon CMS is running on (depending\non the file permissions).\n\nIn the [download_private_file] method:\n\n```ruby\ndef download_private_file\n  cama_uploader.enable_private_mode!\n\n  file = cama_uploader.fetch_file(\"private/#{params[:file]}\")\n\n  send_file file, disposition: 'inline'\nend\n```\n\n[download_private_file]: https://github.com/owen2345/camaleon-cms/blob/feccb96e542319ed608acd3a16fa5d92f13ede67/app/controllers/camaleon_cms/admin/media_controller.rb#L28\n\nThe file parameter is passed to the [fetch_file] method of the\nCamaleonCmsLocalUploader class (when files are uploaded locally):\n\n```ruby\ndef fetch_file(file_name)\n  raise ActionController::RoutingError, 'File not found' unless file_exists?(file_name)\n\n  file_name\nend\n```\n\n[fetch_file]: https://github.com/owen2345/camaleon-cms/blob/feccb96e542319ed608acd3a16fa5d92f13ede67/app/uploaders/camaleon_cms_local_uploader.rb#L27\n\nIf the file exists it's passed back to the download_private_file method\nwhere the file is sent to the user via [send_file].\n\n[send_file]: https://github.com/owen2345/camaleon-cms/blob/feccb96e542319ed608acd3a16fa5d92f13ede67/app/controllers/camaleon_cms/admin/media_controller.rb#L33-L34\n\n## Proof of concept\n\nAn authenticated user can download the /etc/passwd file by visiting an URL such as:\n\n    https://<camaleon-host>/admin/media/download_private_file?file=../../../../../../etc/passwd\n\n## Impact\n\nThis issue may lead to Information Disclosure.\n\n## Remediation\n\nNormalize file paths constructed from untrusted user input before using\nthem and check that the resulting path is inside the targeted directory.\nAdditionally, do not allow character sequences such as `..` in untrusted\ninput that is used to build paths.\n\n## See Also\n\n* [CodeQL: Uncontrolled data used in path expression](https://codeql.github.com/codeql-query-help/ruby/rb-path-injection/)\n* [OWASP: Path Traversal](https://owasp.org/www-community/attacks/Path_Traversal)","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2024-46987","reference_id":"","reference_type":"","scores":[{"value":"0.44011","scoring_system":"epss","scoring_elements":"0.9761","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2024-46987"},{"reference_url":"https://codeql.github.com/codeql-query-help/ruby/rb-path-injection","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"},{"value":"7.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N"},{"value":"7.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-09-18T18:57:11Z/"}],"url":"https://codeql.github.com/codeql-query-help/ruby/rb-path-injection"},{"reference_url":"https://github.com/owen2345/camaleon-cms","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"},{"value":"7.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/owen2345/camaleon-cms"},{"reference_url":"https://github.com/owen2345/camaleon-cms/commit/071b1b09d6d61ab02a5960b1ccafd9d9c2155a3e","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"},{"value":"7.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/owen2345/camaleon-cms/commit/071b1b09d6d61ab02a5960b1ccafd9d9c2155a3e"},{"reference_url":"https://github.com/owen2345/camaleon-cms/security/advisories/GHSA-cp65-5m9r-vc2c","reference_id":"","reference_type":"","scores":[{"value":"7.7","scoring_system":"cvssv3","scoring_elements":""},{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"},{"value":"7.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"7.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-09-18T18:57:11Z/"}],"url":"https://github.com/owen2345/camaleon-cms/security/advisories/GHSA-cp65-5m9r-vc2c"},{"reference_url":"https://owasp.org/www-community/attacks/Path_Traversal","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"},{"value":"7.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N"},{"value":"7.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-09-18T18:57:11Z/"}],"url":"https://owasp.org/www-community/attacks/Path_Traversal"},{"reference_url":"https://securitylab.github.com/advisories/GHSL-2024-182_GHSL-2024-186_Camaleon_CMS","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"},{"value":"7.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N"},{"value":"7.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-09-18T18:57:11Z/"}],"url":"https://securitylab.github.com/advisories/GHSL-2024-182_GHSL-2024-186_Camaleon_CMS"},{"reference_url":"https://www.reddit.com/r/rails/comments/1exwtdm/camaleon_cms_281_has_been_released","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"},{"value":"7.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N"},{"value":"7.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-09-18T18:57:11Z/"}],"url":"https://www.reddit.com/r/rails/comments/1exwtdm/camaleon_cms_281_has_been_released"},{"reference_url":"https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/multiple/webapps/52531.py","reference_id":"CVE-2024-46987","reference_type":"exploit","scores":[],"url":"https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/multiple/webapps/52531.py"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2024-46987","reference_id":"CVE-2024-46987","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"},{"value":"7.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-46987"},{"reference_url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/camaleon_cms/CVE-2024-46987.yml","reference_id":"CVE-2024-46987.YML","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"},{"value":"7.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/camaleon_cms/CVE-2024-46987.yml"},{"reference_url":"https://github.com/advisories/GHSA-cp65-5m9r-vc2c","reference_id":"GHSA-cp65-5m9r-vc2c","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-cp65-5m9r-vc2c"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/82698?format=json","purl":"pkg:gem/camaleon_cms@2.8.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-698a-rmdd-vqhs"},{"vulnerability":"VCID-ajd5-fzcb-kkdn"},{"vulnerability":"VCID-y14c-1pts-fqcw"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/camaleon_cms@2.8.1"}],"aliases":["CVE-2024-46987","GHSA-cp65-5m9r-vc2c"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-9556-6aap-r3e9"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/41613?format=json","vulnerability_id":"VCID-9jsa-k6th-dubb","summary":"In Camaleon CMS to, are vulnerable to Server-Side Request Forgery (SSRF) in the media upload feature, which allows admin users to fetch media files from external URLs but fails to validate URLs referencing to localhost or other internal servers. This allows attackers to read files stored in the internal server.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2021-25972","reference_id":"","reference_type":"","scores":[{"value":"0.00261","scoring_system":"epss","scoring_elements":"0.49762","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00261","scoring_system":"epss","scoring_elements":"0.49698","published_at":"2026-06-04T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2021-25972"},{"reference_url":"https://github.com/owen2345/camaleon-cms","reference_id":"","reference_type":"","scores":[{"value":"4.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/owen2345/camaleon-cms"},{"reference_url":"https://github.com/owen2345/camaleon-cms/commit/5a252d537411fdd0127714d66c1d76069dc7e190","reference_id":"","reference_type":"","scores":[{"value":"4.9","scoring_system":"cvssv3","scoring_elements":""},{"value":"4.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-30T15:49:41Z/"}],"url":"https://github.com/owen2345/camaleon-cms/commit/5a252d537411fdd0127714d66c1d76069dc7e190"},{"reference_url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/camaleon_cms/CVE-2021-25972.yml","reference_id":"","reference_type":"","scores":[{"value":"4.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/camaleon_cms/CVE-2021-25972.yml"},{"reference_url":"https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-25972","reference_id":"","reference_type":"","scores":[{"value":"4.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-30T15:49:41Z/"}],"url":"https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-25972"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2021-25972","reference_id":"CVE-2021-25972","reference_type":"","scores":[{"value":"4.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2021-25972"},{"reference_url":"https://github.com/advisories/GHSA-vx6p-q4gj-x6xx","reference_id":"GHSA-vx6p-q4gj-x6xx","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-vx6p-q4gj-x6xx"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/59334?format=json","purl":"pkg:gem/camaleon_cms@2.6.0.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-698a-rmdd-vqhs"},{"vulnerability":"VCID-92b4-usmp-93bb"},{"vulnerability":"VCID-9556-6aap-r3e9"},{"vulnerability":"VCID-ajep-x2a9-wue7"},{"vulnerability":"VCID-asqb-44pf-dqea"},{"vulnerability":"VCID-d84g-tn4c-3kbz"},{"vulnerability":"VCID-payq-mjhf-fuax"},{"vulnerability":"VCID-qrwq-szbs-7uf8"},{"vulnerability":"VCID-y14c-1pts-fqcw"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/camaleon_cms@2.6.0.1"}],"aliases":["CVE-2021-25972","GHSA-vx6p-q4gj-x6xx"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-9jsa-k6th-dubb"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/51339?format=json","vulnerability_id":"VCID-ajep-x2a9-wue7","summary":"Camaleon CMS vulnerable to stored XSS through user file upload (GHSL-2024-184)\nA stored cross-site scripting has been found in the image upload\nfunctionality that can be used by normal registered users:\nIt is possible to upload a SVG image containing JavaScript and\nit's also possible to upload a HTML document when the format\nparameter is manually changed to [documents][1] or a string of an\n[unsupported format][2]. If an authenticated user or administrator\nvisits that uploaded image or document malicious JavaScript can be\nexecuted on their behalf\n(e.g. changing or deleting content inside of the CMS.)\n\n[1]: https://github.com/owen2345/camaleon-cms/blob/feccb96e542319ed608acd3a16fa5d92f13ede67/app/uploaders/camaleon_cms_uploader.rb#L105-L106\n[2]: https://github.com/owen2345/camaleon-cms/blob/feccb96e542319ed608acd3a16fa5d92f13ede67/app/uploaders/camaleon_cms_uploader.rb#L110-L111\n\n## Impact\n\nThis issue may lead to account takeover due to reflected\nCross-site scripting (XSS).\n\n## Remediation\n\nOnly allow the upload of safe files such as PNG, TXT and others\nor serve all \"unsafe\" files such as SVG and other files with a\ncontent-disposition: attachment header, which should prevent\nbrowsers from displaying them.\n\nAdditionally, a [Content security policy (CSP)][3]\ncan be created that disallows inlined script. (Other parts of the\napplication might need modification to continue functioning.)\n\n[3]: https://web.dev/articles/csp\n\nTo prevent the theft of the auth_token it could be marked with\nHttpOnly. This would however not prevent that actions could be\nperformed as the authenticated user/administrator. Furthermore,\nit could make sense to use the authentication provided by\nRuby on Rails, so that stolen tokens cannot be used anymore\nafter some time.","references":[{"reference_url":"https://github.com/owen2345/camaleon-cms","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"},{"value":"4.8","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/owen2345/camaleon-cms"},{"reference_url":"https://github.com/owen2345/camaleon-cms/commit/b18fbc74f3ecd98a1f781d015f5466ef16b1425b","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"},{"value":"4.8","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/owen2345/camaleon-cms/commit/b18fbc74f3ecd98a1f781d015f5466ef16b1425b"},{"reference_url":"https://github.com/owen2345/camaleon-cms/security/advisories/GHSA-r9cr-qmfw-pmrc","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3","scoring_elements":""},{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"4.8","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/owen2345/camaleon-cms/security/advisories/GHSA-r9cr-qmfw-pmrc"},{"reference_url":"https://github.com/advisories/GHSA-r9cr-qmfw-pmrc","reference_id":"GHSA-r9cr-qmfw-pmrc","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-r9cr-qmfw-pmrc"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/82698?format=json","purl":"pkg:gem/camaleon_cms@2.8.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-698a-rmdd-vqhs"},{"vulnerability":"VCID-ajd5-fzcb-kkdn"},{"vulnerability":"VCID-y14c-1pts-fqcw"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/camaleon_cms@2.8.1"}],"aliases":["GHSA-r9cr-qmfw-pmrc"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-ajep-x2a9-wue7"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/55881?format=json","vulnerability_id":"VCID-asqb-44pf-dqea","summary":"Duplicate Advisory: Camaleon CMS vulnerable to remote code execution through code injection (GHSL-2024-185)\n# Duplicate Advisory\nThis advisory has been withdrawn because it is a duplicate of GHSA-7x4w-cj9r-h4v9. This link is maintained to preserve external references.","references":[{"reference_url":"https://github.com/owen2345/camaleon-cms","reference_id":"","reference_type":"","scores":[{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/owen2345/camaleon-cms"},{"reference_url":"https://github.com/owen2345/camaleon-cms/security/advisories/GHSA-7x4w-cj9r-h4v9","reference_id":"","reference_type":"","scores":[{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/owen2345/camaleon-cms/security/advisories/GHSA-7x4w-cj9r-h4v9"},{"reference_url":"https://github.com/advisories/GHSA-3hp8-6j24-m5gm","reference_id":"GHSA-3hp8-6j24-m5gm","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-3hp8-6j24-m5gm"},{"reference_url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/camaleon_cms/GHSA-7x4w-cj9r-h4v9.yml","reference_id":"GHSA-7x4w-cj9r-h4v9.yml","reference_type":"","scores":[{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/camaleon_cms/GHSA-7x4w-cj9r-h4v9.yml"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/82698?format=json","purl":"pkg:gem/camaleon_cms@2.8.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-698a-rmdd-vqhs"},{"vulnerability":"VCID-ajd5-fzcb-kkdn"},{"vulnerability":"VCID-y14c-1pts-fqcw"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/camaleon_cms@2.8.1"}],"aliases":["GHSA-3hp8-6j24-m5gm"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-asqb-44pf-dqea"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/41614?format=json","vulnerability_id":"VCID-b2rx-y3hz-63dx","summary":"Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')\nIn “Camaleon CMS” application to are vulnerable to stored XSS, that allows unprivileged application users to store malicious scripts in the comments section of the post. These scripts are executed in a victim’s browser when they open the page containing the malicious comment.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2021-25969","reference_id":"","reference_type":"","scores":[{"value":"0.01472","scoring_system":"epss","scoring_elements":"0.81303","published_at":"2026-06-05T12:55:00Z"},{"value":"0.01472","scoring_system":"epss","scoring_elements":"0.81275","published_at":"2026-06-04T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2021-25969"},{"reference_url":"https://github.com/owen2345/camaleon-cms","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/owen2345/camaleon-cms"},{"reference_url":"https://github.com/owen2345/camaleon-cms/commit/05506e9087bb05282c0bae6ccfe0283d0332ab3c","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3","scoring_elements":""},{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-30T15:50:22Z/"}],"url":"https://github.com/owen2345/camaleon-cms/commit/05506e9087bb05282c0bae6ccfe0283d0332ab3c"},{"reference_url":"https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-25969","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-30T15:50:22Z/"}],"url":"https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-25969"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2021-25969","reference_id":"CVE-2021-25969","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2021-25969"},{"reference_url":"https://github.com/advisories/GHSA-x78v-4fvj-rg9j","reference_id":"GHSA-x78v-4fvj-rg9j","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-x78v-4fvj-rg9j"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/59334?format=json","purl":"pkg:gem/camaleon_cms@2.6.0.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-698a-rmdd-vqhs"},{"vulnerability":"VCID-92b4-usmp-93bb"},{"vulnerability":"VCID-9556-6aap-r3e9"},{"vulnerability":"VCID-ajep-x2a9-wue7"},{"vulnerability":"VCID-asqb-44pf-dqea"},{"vulnerability":"VCID-d84g-tn4c-3kbz"},{"vulnerability":"VCID-payq-mjhf-fuax"},{"vulnerability":"VCID-qrwq-szbs-7uf8"},{"vulnerability":"VCID-y14c-1pts-fqcw"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/camaleon_cms@2.6.0.1"}],"aliases":["CVE-2021-25969","GHSA-x78v-4fvj-rg9j"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-b2rx-y3hz-63dx"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/51333?format=json","vulnerability_id":"VCID-d84g-tn4c-3kbz","summary":"Camaleon CMS vulnerable to stored XSS through user file upload (GHSL-2024-184)\nA stored cross-site scripting has been found in the image upload\nfunctionality that can be used by normal registered users:\nIt is possible to upload a SVG image containing JavaScript and\nit's also possible to upload a HTML document when the format\nparameter is manually changed to [documents][1] or a string of\nan [unsupported format][2]. If an authenticated user or administrator\nvisits that uploaded image or document malicious JavaScript can\nbe executed on their behalf (e.g. changing or deleting content\ninside of the CMS.)\n\n[1]: https://github.com/owen2345/camaleon-cms/blob/feccb96e542319ed608acd3a16fa5d92f13ede67/app/uploaders/camaleon_cms_uploader.rb#L105-L106\n[2]: https://github.com/owen2345/camaleon-cms/blob/feccb96e542319ed608acd3a16fa5d92f13ede67/app/uploaders/camaleon_cms_uploader.rb#L110-L111\n\n## Impact\n\nThis issue may lead to account takeover due to reflected\nCross-site scripting (XSS).\n\n## Remediation\n\nOnly allow the upload of safe files such as PNG, TXT and others\nor serve all \"unsafe\" files such as SVG and other files with a\ncontent-disposition: attachment header, which should prevent\nbrowsers from displaying them.\n\nAdditionally, a [Content security policy (CSP)][3] can be created\nthat disallows inlined script. (Other parts of the application\nmight need modification to continue functioning.)\n\n[3]: https://web.dev/articles/csp\n\nTo prevent the theft of the auth_token it could be marked with\nHttpOnly. This would however not prevent that actions could be\nperformed as the authenticated user/administrator. Furthermore,\nit could make sense to use the authentication provided by\nRuby on Rails, so that stolen tokens cannot be used anymore\nafter some time.","references":[{"reference_url":"https://github.com/owen2345/camaleon-cms","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"},{"value":"4.8","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/owen2345/camaleon-cms"},{"reference_url":"https://github.com/owen2345/camaleon-cms/security/advisories/GHSA-r9cr-qmfw-pmrc","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3","scoring_elements":""},{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"},{"value":"4.8","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/owen2345/camaleon-cms/security/advisories/GHSA-r9cr-qmfw-pmrc"},{"reference_url":"https://github.com/advisories/GHSA-8fx8-3rg2-79xw","reference_id":"GHSA-8fx8-3rg2-79xw","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-8fx8-3rg2-79xw"},{"reference_url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/camaleon_cms/GHSA-r9cr-qmfw-pmrc.yml","reference_id":"GHSA-r9cr-qmfw-pmrc.yml","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"},{"value":"4.8","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/camaleon_cms/GHSA-r9cr-qmfw-pmrc.yml"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/82698?format=json","purl":"pkg:gem/camaleon_cms@2.8.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-698a-rmdd-vqhs"},{"vulnerability":"VCID-ajd5-fzcb-kkdn"},{"vulnerability":"VCID-y14c-1pts-fqcw"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/camaleon_cms@2.8.1"}],"aliases":["GHSA-8fx8-3rg2-79xw"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-d84g-tn4c-3kbz"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/41616?format=json","vulnerability_id":"VCID-jwkf-ess3-9kgr","summary":"Unchecked Error Condition\nCamaleon CMS is vulnerable to an Uncaught Exception. The app's media upload feature crashes permanently when an attacker with a low privileged access uploads a specially crafted `.svg` file","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2021-25971","reference_id":"","reference_type":"","scores":[{"value":"0.00281","scoring_system":"epss","scoring_elements":"0.51747","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00281","scoring_system":"epss","scoring_elements":"0.51687","published_at":"2026-06-04T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2021-25971"},{"reference_url":"https://github.com/owen2345/camaleon-cms","reference_id":"","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/owen2345/camaleon-cms"},{"reference_url":"https://github.com/owen2345/camaleon-cms/commit/ab89584ab32b98a0af3d711e3f508a1d048147d2","reference_id":"","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3","scoring_elements":""},{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-30T15:50:03Z/"}],"url":"https://github.com/owen2345/camaleon-cms/commit/ab89584ab32b98a0af3d711e3f508a1d048147d2"},{"reference_url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/camaleon_cms/CVE-2021-25971.yml","reference_id":"","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/camaleon_cms/CVE-2021-25971.yml"},{"reference_url":"https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-25971","reference_id":"","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-30T15:50:03Z/"}],"url":"https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-25971"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2021-25971","reference_id":"CVE-2021-25971","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2021-25971"},{"reference_url":"https://github.com/advisories/GHSA-r2w2-h6r8-3r53","reference_id":"GHSA-r2w2-h6r8-3r53","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-r2w2-h6r8-3r53"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/59334?format=json","purl":"pkg:gem/camaleon_cms@2.6.0.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-698a-rmdd-vqhs"},{"vulnerability":"VCID-92b4-usmp-93bb"},{"vulnerability":"VCID-9556-6aap-r3e9"},{"vulnerability":"VCID-ajep-x2a9-wue7"},{"vulnerability":"VCID-asqb-44pf-dqea"},{"vulnerability":"VCID-d84g-tn4c-3kbz"},{"vulnerability":"VCID-payq-mjhf-fuax"},{"vulnerability":"VCID-qrwq-szbs-7uf8"},{"vulnerability":"VCID-y14c-1pts-fqcw"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/camaleon_cms@2.6.0.1"}],"aliases":["CVE-2021-25971","GHSA-r2w2-h6r8-3r53"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-jwkf-ess3-9kgr"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/51332?format=json","vulnerability_id":"VCID-payq-mjhf-fuax","summary":"Camaleon CMS vulnerable to remote code execution through code injection (GHSL-2024-185)\nThe [actions](https://github.com/owen2345/camaleon-cms/blob/feccb96e542319ed608acd3a16fa5d92f13ede67/app/controllers/camaleon_cms/admin/media_controller.rb#L51-L52)\ndefined inside of the MediaController class do not check whether a\ngiven path is inside a certain path (e.g. inside the media folder).\nIf an attacker performed an account takeover of an administrator\naccount (See: GHSL-2024-184) they could delete arbitrary files or\nfolders on the server hosting Camaleon CMS. The\n[crop_url](https://github.com/owen2345/camaleon-cms/blob/feccb96e542319ed608acd3a16fa5d92f13ede67/app/controllers/camaleon_cms/admin/media_controller.rb#L64-L65)\naction might make arbitrary file writes (similar impact to GHSL-2024-182)\nfor any authenticated user possible, but it doesn't seem to work currently.\n\nArbitrary file deletion can be exploited with following code path:\nThe parameter folder flows from the actions method:\n```ruby\n  def actions\n    authorize! :manage, :media if params[:media_action] != 'crop_url'\n    params[:folder] = params[:folder].gsub('//', '/') if params[:folder].present?\n    case params[:media_action]\n    [..]\n    when 'del_file'\n      cama_uploader.delete_file(params[:folder].gsub('//', '/'))\n      render plain: ''\n```\ninto the method delete_file of the CamaleonCmsLocalUploader\nclass (when files are uploaded locally):\n```ruby\ndef delete_file(key)\n  file = File.join(@root_folder, key)\n  FileUtils.rm(file) if File.exist? file\n  @instance.hooks_run('after_delete', key)\n  get_media_collection.find_by_key(key).take.destroy\nend\n```\nWhere it is joined in an unchecked manner with the root folder and\nthen deleted.\n\n**Proof of concept**\nThe following request would delete the file README.md in the top\nfolder of the Ruby on Rails application. (The values for auth_token,\nX-CSRF-Token and _cms_session would also need to be replaced with\nauthenticated values in the curl command below)\n```\ncurl --path-as-is -i -s -k -X $'POST' \\\n    -H $'X-CSRF-Token: [..]' -H $'User-Agent: Mozilla/5.0' -H $'Content-Type: application/x-www-form-urlencoded; charset=UTF-8' -H $'Accept: */*' -H $'Connection: keep-alive' \\\n    -b $'auth_token=[..]; _cms_session=[..]' \\\n    --data-binary $'versions=&thumb_size=&formats=&media_formats=&dimension=&private=&folder=..\n2F..\n2F..\n2FREADME.md&media_action=del_file' \\\n    $'https://<camaleon-host>/admin/media/actions?actions=true'\n```\n\n**Impact**\n\nThis issue may lead to a defective CMS or system.\n\n**Remediation**\n\nNormalize all file paths constructed from untrusted user input\nbefore using them and check that the resulting path is inside the\ntargeted directory. Additionally, do not allow character sequences\nsuch as .. in untrusted input that is used to build paths.\n\n**See also:**\n\n[CodeQL: Uncontrolled data used in path expression](https://codeql.github.com/codeql-query-help/ruby/rb-path-injection/)\n[OWASP: Path Traversal](https://owasp.org/www-community/attacks/Path_Traversal)","references":[{"reference_url":"https://github.com/owen2345/camaleon-cms","reference_id":"","reference_type":"","scores":[{"value":"7.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H"},{"value":"8.6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/owen2345/camaleon-cms"},{"reference_url":"https://github.com/owen2345/camaleon-cms/commit/f5d032549fa0a204d06e738caf2663607967dee2","reference_id":"","reference_type":"","scores":[{"value":"7.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H"},{"value":"8.6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/owen2345/camaleon-cms/commit/f5d032549fa0a204d06e738caf2663607967dee2"},{"reference_url":"https://github.com/owen2345/camaleon-cms/security/advisories/GHSA-7x4w-cj9r-h4v9","reference_id":"","reference_type":"","scores":[{"value":"7.2","scoring_system":"cvssv3","scoring_elements":""},{"value":"7.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"8.6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/owen2345/camaleon-cms/security/advisories/GHSA-7x4w-cj9r-h4v9"},{"reference_url":"https://github.com/advisories/GHSA-7x4w-cj9r-h4v9","reference_id":"GHSA-7x4w-cj9r-h4v9","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-7x4w-cj9r-h4v9"},{"reference_url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/camaleon_cms/GHSA-7x4w-cj9r-h4v9.yml","reference_id":"GHSA-7x4w-cj9r-h4v9.yml","reference_type":"","scores":[{"value":"7.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H"},{"value":"8.6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/camaleon_cms/GHSA-7x4w-cj9r-h4v9.yml"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/82698?format=json","purl":"pkg:gem/camaleon_cms@2.8.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-698a-rmdd-vqhs"},{"vulnerability":"VCID-ajd5-fzcb-kkdn"},{"vulnerability":"VCID-y14c-1pts-fqcw"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/camaleon_cms@2.8.1"}],"aliases":["GHSA-7x4w-cj9r-h4v9"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-payq-mjhf-fuax"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/51336?format=json","vulnerability_id":"VCID-qrwq-szbs-7uf8","summary":"camaleon_cms affected by cross site scripting\nCross Site Scripting vulnerability in camaleon-cms v.2.7.5 allows\nremote attacker to execute arbitrary code via the content group\nname field.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2024-48652","reference_id":"","reference_type":"","scores":[{"value":"0.3484","scoring_system":"epss","scoring_elements":"0.97113","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2024-48652"},{"reference_url":"https://github.com/owen2345/camaleon-cms","reference_id":"","reference_type":"","scores":[{"value":"4.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N"},{"value":"4.8","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/owen2345/camaleon-cms"},{"reference_url":"https://github.com/paragbagul111/CVE-2024-48652","reference_id":"","reference_type":"","scores":[{"value":"4.8","scoring_system":"cvssv3","scoring_elements":""},{"value":"4.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N"},{"value":"4.8","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/paragbagul111/CVE-2024-48652"},{"reference_url":"https://github.com/paragbagul111/CVE-2024-48652/","reference_id":"CVE-2024-48652","reference_type":"","scores":[{"value":"4.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-10-23T15:51:14Z/"}],"url":"https://github.com/paragbagul111/CVE-2024-48652/"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2024-48652","reference_id":"CVE-2024-48652","reference_type":"","scores":[{"value":"4.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N"},{"value":"4.8","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-48652"},{"reference_url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/camaleon_cms/CVE-2024-48652.yml","reference_id":"CVE-2024-48652.YML","reference_type":"","scores":[{"value":"4.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N"},{"value":"4.8","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/camaleon_cms/CVE-2024-48652.yml"},{"reference_url":"https://github.com/advisories/GHSA-hhxg-rvc9-8726","reference_id":"GHSA-hhxg-rvc9-8726","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-hhxg-rvc9-8726"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/75427?format=json","purl":"pkg:gem/camaleon_cms@2.8.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-698a-rmdd-vqhs"},{"vulnerability":"VCID-9556-6aap-r3e9"},{"vulnerability":"VCID-ajd5-fzcb-kkdn"},{"vulnerability":"VCID-ajep-x2a9-wue7"},{"vulnerability":"VCID-asqb-44pf-dqea"},{"vulnerability":"VCID-d84g-tn4c-3kbz"},{"vulnerability":"VCID-payq-mjhf-fuax"},{"vulnerability":"VCID-t7wx-h4uj-gqgv"},{"vulnerability":"VCID-y14c-1pts-fqcw"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/camaleon_cms@2.8.0"}],"aliases":["CVE-2024-48652","GHSA-hhxg-rvc9-8726"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-qrwq-szbs-7uf8"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/50825?format=json","vulnerability_id":"VCID-y14c-1pts-fqcw","summary":"Camaleon CMS vulnerable to Path Traversal through AWS S3 uploader implementation\nCamaleon CMS versions 2.4.5.0 through 2.9.1, prior to commit f54a77e, contain a path traversal vulnerability in the AWS S3 uploader implementation that allows authenticated users to read arbitrary files from the web server’s filesystem. The issue occurs in the download_private_file functionality when the application is configured to use the CamaleonCmsAwsUploader backend. Unlike the local uploader implementation, the AWS uploader does not validate file paths with valid_folder_path?, allowing directory traversal sequences to be supplied via the file parameter. As a result, any authenticated user, including low-privileged registered users, can access sensitive files such as /etc/passwd. This issue represents a bypass of the incomplete fix for CVE-2024-46987 and affects deployments using the AWS S3 storage backend.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-1776","reference_id":"","reference_type":"","scores":[{"value":"0.00076","scoring_system":"epss","scoring_elements":"0.22948","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-1776"},{"reference_url":"https://camaleon.website","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"},{"value":"6.0","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://camaleon.website"},{"reference_url":"https://github.com/owen2345/camaleon-cms","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"},{"value":"6.0","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/owen2345/camaleon-cms"},{"reference_url":"https://github.com/owen2345/camaleon-cms/commit/f54a77e2a7be601215ea1b396038c589a0cab9af","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"},{"value":"6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"6.0","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-10T14:57:09Z/"}],"url":"https://github.com/owen2345/camaleon-cms/commit/f54a77e2a7be601215ea1b396038c589a0cab9af"},{"reference_url":"https://github.com/owen2345/camaleon-cms/pull/1127","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"},{"value":"6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"6.0","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-10T14:57:09Z/"}],"url":"https://github.com/owen2345/camaleon-cms/pull/1127"},{"reference_url":"https://www.vulncheck.com/advisories/camaleon-cms-aws-uploader-authenticated-path-traversal-arbitrary-file-read","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"},{"value":"6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"6.0","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-10T14:57:09Z/"}],"url":"https://www.vulncheck.com/advisories/camaleon-cms-aws-uploader-authenticated-path-traversal-arbitrary-file-read"},{"reference_url":"https://camaleon.website/","reference_id":"camaleon.website","reference_type":"","scores":[{"value":"6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-10T14:57:09Z/"}],"url":"https://camaleon.website/"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-1776","reference_id":"CVE-2026-1776","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3","scoring_elements":""},{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"},{"value":"6.0","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-1776"},{"reference_url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/camaleon_cms/CVE-2026-1776.yml","reference_id":"CVE-2026-1776.YML","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"},{"value":"6.0","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/camaleon_cms/CVE-2026-1776.yml"},{"reference_url":"https://github.com/advisories/GHSA-jw5g-f64p-6x78","reference_id":"GHSA-jw5g-f64p-6x78","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-jw5g-f64p-6x78"}],"fixed_packages":[],"aliases":["CVE-2026-1776","GHSA-jw5g-f64p-6x78"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-y14c-1pts-fqcw"}],"fixing_vulnerabilities":[],"risk_score":"4.5","resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/camaleon_cms@2.6.0"}