CVE-2025-2304

CVE-2025-2304 describes a mass-assignment vulnerability in Camaleon CMS where the updated_ajax action in UsersController uses params.require(:user).permit! and thus accepts unfiltered keys. Exploitation paths documented in connected sources show an authenticated user can inject password[role]=adm...