Camaleon CMS affected by arbitrary file write to RCE (GHSL-2024-182)

🗓️ 18 Sep 2024 14:39:03Reported by GitHub Advisory DatabaseType

Camaleon CMS upload method allows authenticated users to write arbitrary files to any location on the web server, leading to potential remote code execution via the upload_file method

Reporter	Title	Published	Views	Family All 15
GithubExploit	Exploit for Path Traversal in Tuzitio Camaleon_Cms	22 Sep 202414:27	–	githubexploit
Circl	CVE-2024-46986	18 Sep 202420:55	–	circl
CNNVD	CamaleonCMS 注入漏洞	18 Sep 202400:00	–	cnnvd
CVE	CVE-2024-46986	18 Sep 202417:14	–	cve
Cvelist	CVE-2024-46986 Arbitrary file write leading to RCE in Camaleon CMS	18 Sep 202417:14	–	cvelist
Nuclei	Camaleon CMS < 2.8.1 Arbitrary File Write to RCE	21 Jun 202603:03	–	nuclei
NVD	CVE-2024-46986	18 Sep 202418:15	–	nvd
OSV	CVE-2024-46986 Arbitrary file write leading to RCE in Camaleon CMS	18 Sep 202417:14	–	osv
OSV	GHSA-WMJG-VQHV-Q5P5 Camaleon CMS affected by arbitrary file write to RCE (GHSL-2024-182)	18 Sep 202414:39	–	osv
Positive Technologies	PT-2024-32320 · Unknown · Ruby On Rails +1	18 Sep 202400:00	–	ptsecurity

Vulners

Node

tuzitio camaleon_cmsRange2.8.0–2.8.1rubygems

Source	Link
github	www.github.com/owen2345/camaleon-cms/security/advisories/GHSA-wmjg-vqhv-q5p5
github	www.github.com/owen2345/camaleon-cms/commit/b3b12b1e4a9e3fccaf5bb4330820fa7f8744e6bd
nvd	www.nvd.nist.gov/vuln/detail/CVE-2024-46986
codeql	www.codeql.github.com/codeql-query-help/ruby/rb-path-injection
owasp	www.owasp.org/www-community/attacks/Path_Traversal
reddit	www.reddit.com/r/rails/comments/1exwtdm/camaleon_cms_281_has_been_released
github	www.github.com/rubysec/ruby-advisory-db/blob/master/gems/camaleon_cms/CVE-2024-46986.yml
securitylab	www.securitylab.github.com/advisories/GHSL-2024-182_GHSL-2024-186_Camaleon_CMS
github	www.github.com/advisories/GHSA-wmjg-vqhv-q5p5

17 Apr 2025 22:55Current

8.3High risk

Vulners AI Score8.3

CVSS 3.19.9

EPSS0.35658

SSVC