camaleon_cms 2.4.3.2
Server-Side Template Injection in Camaleon CMS
critical severity CVE-2023-30145>= 2.7.4
Camaleon CMS prior to 2.7.4 was discovered to contain a Server-Side
Template Injection (SSTI) vulnerability via the formats parameter.
Camaleon CMS vulnerable to remote code execution through code injection (GHSL-2024-185)
high severity GHSA-7x4w-cj9r-h4v9>= 2.8.1
The actions defined inside of the MediaController class do not check whether a given path is inside a certain path (e.g. inside the media folder). If an attacker performed an account takeover of an administrator account (See: GHSL-2024-184) they could delete arbitrary files or folders on the server hosting Camaleon CMS. The crop_url action might make arbitrary file writes (similar impact to GHSL-2024-182) for any authenticated user possible, but it doesn't seem to work currently.
Arbitrary file deletion can be exploited with following code path: The parameter folder flows from the actions method:
def actions
authorize! :manage, :media if params[:media_action] != 'crop_url'
params[:folder] = params[:folder].gsub('//', '/') if params[:folder].present?
case params[:media_action]
[..]
when 'del_file'
cama_uploader.delete_file(params[:folder].gsub('//', '/'))
render plain: ''
into the method delete_file of the CamaleonCmsLocalUploader class (when files are uploaded locally):
def delete_file(key)
file = File.join(@root_folder, key)
FileUtils.rm(file) if File.exist? file
@instance.hooks_run('after_delete', key)
get_media_collection.find_by_key(key).take.destroy
end
Where it is joined in an unchecked manner with the root folder and then deleted.
Proof of concept The following request would delete the file README.md in the top folder of the Ruby on Rails application. (The values for auth_token, X-CSRF-Token and _cms_session would also need to be replaced with authenticated values in the curl command below)
curl --path-as-is -i -s -k -X $'POST' \
-H $'X-CSRF-Token: [..]' -H $'User-Agent: Mozilla/5.0' -H $'Content-Type: application/x-www-form-urlencoded; charset=UTF-8' -H $'Accept: */*' -H $'Connection: keep-alive' \
-b $'auth_token=[..]; _cms_session=[..]' \
--data-binary $'versions=&thumb_size=&formats=&media_formats=&dimension=&private=&folder=..
2F..
2F..
2FREADME.md&media_action=del_file' \
$'https://<camaleon-host>/admin/media/actions?actions=true'
Impact
This issue may lead to a defective CMS or system.
Remediation
Normalize all file paths constructed from untrusted user input before using them and check that the resulting path is inside the targeted directory. Additionally, do not allow character sequences such as .. in untrusted input that is used to build paths.
See also:
CodeQL: Uncontrolled data used in path expression OWASP: Path Traversal
Camaleon CMS vulnerable to remote code execution through code injection (GHSL-2024-185)
high severity GHSA-3hp8-6j24-m5gm< 2.8.1
The actions defined inside of the MediaController class do not check whether a given path is inside a certain path (e.g. inside the media folder). If an attacker performed an account takeover of an administrator account (See: GHSL-2024-184) they could delete arbitrary files or folders on the server hosting Camaleon CMS. The crop_url action might make arbitrary file writes (similar impact to GHSL-2024-182) for any authenticated user possible, but it doesn't seem to work currently.
Arbitrary file deletion can be exploited with following code path: The parameter folder flows from the actions method:
def actions
authorize! :manage, :media if params[:media_action] != 'crop_url'
params[:folder] = params[:folder].gsub('//', '/') if params[:folder].present?
case params[:media_action]
[..]
when 'del_file'
cama_uploader.delete_file(params[:folder].gsub('//', '/'))
render plain: ''
into the method delete_file of the CamaleonCmsLocalUploader class (when files are uploaded locally):
def delete_file(key)
file = File.join(@root_folder, key)
FileUtils.rm(file) if File.exist? file
@instance.hooks_run('after_delete', key)
get_media_collection.find_by_key(key).take.destroy
end
Where it is joined in an unchecked manner with the root folder and then deleted.
Proof of concept The following request would delete the file README.md in the top folder of the Ruby on Rails application. (The values for auth_token, X-CSRF-Token and _cms_session would also need to be replaced with authenticated values in the curl command below)
curl --path-as-is -i -s -k -X $'POST' \
-H $'X-CSRF-Token: [..]' -H $'User-Agent: Mozilla/5.0' -H $'Content-Type: application/x-www-form-urlencoded; charset=UTF-8' -H $'Accept: */*' -H $'Connection: keep-alive' \
-b $'auth_token=[..]; _cms_session=[..]' \
--data-binary $'versions=&thumb_size=&formats=&media_formats=&dimension=&private=&folder=..
2F..
2F..
2FREADME.md&media_action=del_file' \
$'https://<camaleon-host>/admin/media/actions?actions=true'
Impact
This issue may lead to a defective CMS or system.
Remediation
Normalize all file paths constructed from untrusted user input before using them and check that the resulting path is inside the targeted directory. Additionally, do not allow character sequences such as .. in untrusted input that is used to build paths.
See also:
CodeQL: Uncontrolled data used in path expression OWASP: Path Traversal
Camaleon CMS vulnerable to arbitrary path traversal (GHSL-2024-183)
high severity CVE-2024-46987>= 2.8.1
A path traversal vulnerability accessible via MediaController's download_private_file method allows authenticated users to download any file on the web server Camaleon CMS is running on (depending on the file permissions).
In the download_private_file method:
def download_private_file
cama_uploader.enable_private_mode!
file = cama_uploader.fetch_file("private/#{params[:file]}")
send_file file, disposition: 'inline'
end
The file parameter is passed to the fetch_file method of the CamaleonCmsLocalUploader class (when files are uploaded locally):
def fetch_file(file_name)
raise ActionController::RoutingError, 'File not found' unless file_exists?(file_name)
file_name
end
If the file exists it's passed back to the download_private_file method where the file is sent to the user via send_file.
Proof of concept
An authenticated user can download the /etc/passwd file by visiting an URL such as:
https://<camaleon-host>/admin/media/download_private_file?file=../../../../../../etc/passwd
Impact
This issue may lead to Information Disclosure.
Remediation
Normalize file paths constructed from untrusted user input before using
them and check that the resulting path is inside the targeted directory.
Additionally, do not allow character sequences such as .. in untrusted
input that is used to build paths.
See Also
Camaleon CMS Insufficient Session Expiration vulnerability
high severity CVE-2021-25970>= 2.6.0.1
< 0.1.7
Camaleon CMS 0.1.7 through 2.6.0 doesn’t terminate the active session of the users, even after the admin changes the user’s password. A user that was already logged in, will still have access to the application even after the password was changed.
Camaleon CMS vulnerable to stored XSS through user file upload (GHSL-2024-184)
medium severity GHSA-r9cr-qmfw-pmrc>= 2.8.1
A stored cross-site scripting has been found in the image upload functionality that can be used by normal registered users: It is possible to upload a SVG image containing JavaScript and it's also possible to upload a HTML document when the format parameter is manually changed to documents or a string of an unsupported format. If an authenticated user or administrator visits that uploaded image or document malicious JavaScript can be executed on their behalf (e.g. changing or deleting content inside of the CMS.)
Impact
This issue may lead to account takeover due to reflected Cross-site scripting (XSS).
Remediation
Only allow the upload of safe files such as PNG, TXT and others or serve all "unsafe" files such as SVG and other files with a content-disposition: attachment header, which should prevent browsers from displaying them.
Additionally, a Content security policy (CSP) can be created that disallows inlined script. (Other parts of the application might need modification to continue functioning.)
To prevent the theft of the auth_token it could be marked with HttpOnly. This would however not prevent that actions could be performed as the authenticated user/administrator. Furthermore, it could make sense to use the authentication provided by Ruby on Rails, so that stolen tokens cannot be used anymore after some time.
Camaleon CMS vulnerable to stored XSS through user file upload (GHSL-2024-184)
medium severity GHSA-8fx8-3rg2-79xw>= 2.8.1
A stored cross-site scripting has been found in the image upload functionality that can be used by normal registered users: It is possible to upload a SVG image containing JavaScript and it's also possible to upload a HTML document when the format parameter is manually changed to documents or a string of an unsupported format. If an authenticated user or administrator visits that uploaded image or document malicious JavaScript can be executed on their behalf (e.g. changing or deleting content inside of the CMS.)
Impact
This issue may lead to account takeover due to reflected Cross-site scripting (XSS).
Remediation
Only allow the upload of safe files such as PNG, TXT and others or serve all "unsafe" files such as SVG and other files with a content-disposition: attachment header, which should prevent browsers from displaying them.
Additionally, a Content security policy (CSP) can be created that disallows inlined script. (Other parts of the application might need modification to continue functioning.)
To prevent the theft of the auth_token it could be marked with HttpOnly. This would however not prevent that actions could be performed as the authenticated user/administrator. Furthermore, it could make sense to use the authentication provided by Ruby on Rails, so that stolen tokens cannot be used anymore after some time.
camaleon_cms affected by cross site scripting
medium severity CVE-2024-48652Cross Site Scripting vulnerability in camaleon-cms v.2.7.5 allows remote attacker to execute arbitrary code via the content group name field.
Camaleon CMS vulnerable to Server-Side Request Forgery
medium severity CVE-2021-25972>= 2.6.0.1
< 2.1.2.0
In Camaleon CMS, versions 2.1.2.0 through 2.6.0, are vulnerable to Server-Side Request Forgery (SSRF) in the media upload feature, which allows admin users to fetch media files from external URLs but fails to validate URLs referencing to localhost or other internal servers. This allows attackers to read files stored in the internal server.
Camaleon CMS vulnerable to Uncaught Exception
medium severity CVE-2021-25971>= 2.6.0.1
< 2.0.1
In Camaleon CMS, versions 2.0.1 through 2.6.0 are vulnerable to an Uncaught Exception. The app's media upload feature crashes permanently when an attacker with a low privileged access uploads a specially crafted .svg file.
Camaleon CMS Stored Cross-site Scripting vulnerability
medium severity CVE-2021-25969>= 2.6.0.1
< 0.0.1
In “Camaleon CMS” application, versions 0.0.1 through 2.6.0 are vulnerable to stored XSS, that allows unprivileged application users to store malicious scripts in the comments section of the post. These scripts are executed in a victim’s browser when they open the page containing the malicious comment.
Camaleon CMS vulnerable to Stored Cross-site Scripting
medium severity CVE-2018-18260< 2.4
In the 2.4 version of Camaleon CMS, Stored XSS has been discovered. The
profile image in the User settings section can be run in the update / upload area
via /admin/media/upload?actions=false.
No officially reported memory leakage issues detected.
This gem version does not have any officially reported memory leaked issues.
No license issues detected.
This gem version has a license in the gemspec.
This gem version is available.
This gem version has not been yanked and is still available for usage.