CVE-2024-46987: Arbitrary path traversal in Camaleon CMS

Get alerts for future matching vulnerabilitiesLog in to subscribe

I. Basic Information for CVE-2024-46987

Vulnerability Information

Have questions about the vulnerability? See if Shenlong's analysis helps!

Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.

Vulnerability Title

Arbitrary path traversal in Camaleon CMS

Source: NVD (National Vulnerability Database)

Vulnerability Description

Camaleon CMS is a dynamic and advanced content management system based on Ruby on Rails. A path traversal vulnerability accessible via MediaController's download_private_file method allows authenticated users to download any file on the web server Camaleon CMS is running on (depending on the file permissions). This issue may lead to Information Disclosure. This issue has been addressed in release version 2.8.2. Users are advised to upgrade. There are no known workarounds for this vulnerability.

Source: NVD (National Vulnerability Database)

CVSS Information

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N

Source: NVD (National Vulnerability Database)

Vulnerability Type

信息暴露

Source: NVD (National Vulnerability Database)

Vulnerability Title

CamaleonCMS 信息泄露漏洞

Source: CNNVD (China National Vulnerability Database)

Vulnerability Description

CamaleonCMS是CamaleonCMS团队的一套基于RubyonRails的高级动态内容管理系统（CMS）。 CamaleonCMS 2.8.0版本存在信息泄露漏洞，该漏洞源于存在路径遍历漏洞，允许经过身份验证的用户下载服务器上的任何文件。

Source: CNNVD (China National Vulnerability Database)

CVSS Information

N/A

Source: CNNVD (China National Vulnerability Database)

Vulnerability Type

N/A

Source: CNNVD (China National Vulnerability Database)

Affected Products

Vendor	Product	Affected Versions	CPE	Subscribe
owen2345	camaleon-cms	< 2.8.2	-

II. Public POCs for CVE-2024-46987

#	POC Description	Source Link	Shenlong Link
1	This Python PoC exploits CVE-2024-46987, a Path Traversal bug in Camaleon CMS 2.8.0 < 2.8.2 (work on 2.9.0). It allows authenticated users to read sensitive server files via the MediaController. Intended for authorized security auditing and educational research only.	https://github.com/Goultarde/CVE-2024-46987	POC Details
2	Path Traversal vulnerability	https://github.com/L1337Xi/CVE-2024-46987	POC Details
3	None	https://github.com/Ik0nw/CVE-2024-46987	POC Details
4	Exploit for CVE-2024-46987	https://github.com/sparrowhawk1113/Exploit-for-CVE-2024-46987	POC Details
5	CVE-2024-46987 - Camaleon CMS LFI Exploit	https://github.com/Rival420/CVE-2024-46987	POC Details
6	Exploit created using Python	https://github.com/advaitpathak21/CVE-2024-46987	POC Details
7	This Rust PoC exploits CVE-2024-46987, a Path Traversal bug in Camaleon CMS 2.8.0 < 2.8.2 (work on 2.9.0).	https://github.com/rabouzia/CVE-2024-46987	POC Details
8	PoC exploit for CVE-2024-46987 — Camaleon CMS arbitrary path traversal (file read)	https://github.com/BLUEBERRYP1LL/CVE-2024-46987	POC Details

AI-Generated POCPremium

No public POC found.

III. Intelligence Information for CVE-2024-46987

Please Login to view more intelligence information

https://owasp.org/www-community/attacks/Path_Traversalx_refsource_MISC
https://github.com/owen2345/camaleon-cms/security/advisories/GHSA-cp65-5m9r-vc2cx_refsource_CONFIRM
https://securitylab.github.com/advisories/GHSL-2024-182_GHSL-2024-186_Camaleon_CMSx_refsource_MISC
https://nvd.nist.gov/vuln/detail/CVE-2024-46987

IV. Related Vulnerabilities

Same product: camaleon-cms

Same vendor: owen2345

Same weakness: CWE-200

V. Comments for CVE-2024-46987

No comments yet

Goal Reached Thanks to every supporter — we hit 100%!

I. Basic Information for CVE-2024-46987

Vulnerability Information

Vulnerability Title

Vulnerability Description

CVSS Information

Vulnerability Type

Vulnerability Title

Vulnerability Description

CVSS Information

Vulnerability Type

Affected Products

II. Public POCs for CVE-2024-46987

III. Intelligence Information for CVE-2024-46987

IV. Related Vulnerabilities

V. Comments for CVE-2024-46987

Leave a comment