Home > Vulnerability Database > CVE-2024-46986

Mend.io Vulnerability Database

CVE-2024-46986

Good to know:

Date: September 18, 2024

Camaleon CMS is a dynamic and advanced content management system based on Ruby on Rails. An arbitrary file write vulnerability accessible via the upload method of the MediaController allows authenticated users to write arbitrary files to any location on the web server Camaleon CMS is running on (depending on the permissions of the underlying filesystem). E.g. This can lead to a delayed remote code execution in case an attacker is able to write a Ruby file into the config/initializers/ subfolder of the Ruby on Rails application. This issue has been addressed in release version 2.8.2. Users are advised to upgrade. There are no known workarounds for this vulnerability.

Language: Ruby

Severity Score

9.9

Related Resources (9)

Url: https://owasp.org/www-community/attacks/Path_Traversal

Url: https://www.reddit.com/r/rails/comments/1exwtdm/camaleon_cms_281_has_been_released

Url: https://codeql.github.com/codeql-query-help/ruby/rb-path-injection

Url: https://github.com/owen2345/camaleon-cms

Url: https://github.com/rubysec/ruby-advisory-db/blob/master/gems/camaleon_cms/CVE-2024-46986.yml

Url: https://github.com/owen2345/camaleon-cms/commit/b3b12b1e4a9e3fccaf5bb4330820fa7f8744e6bd

Url: https://nvd.nist.gov/vuln/detail/CVE-2024-46986

Url: https://github.com/owen2345/camaleon-cms/security/advisories/GHSA-wmjg-vqhv-q5p5

Url: https://www.mend.io/vulnerability-database/CVE-2024-46986

Severity Score

9.9

Weakness Type (CWE)

Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

CWE-74

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

CWE-22

Top Fix

Upgrade Version

Upgrade to version camaleon_cms - 2.8.2

Learn More

CVSS v3.1

Base Score:	9.9
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	LOW
User Interaction (UI):	NONE
Scope (S):	CHANGED
Confidentiality (C):	HIGH
Integrity (I):	HIGH
Availability (A):	HIGH

Mend.io Vulnerability Database

We found results for “”

CVE-2024-46986

Good to know:

Date: September 18, 2024

Language: Ruby

Severity Score

Related Resources (9)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?