Overview
In Camaleon CMS, versions 2.0.1 to 2.6.0 are vulnerable to an Uncaught Exception. The app's media upload feature crashes permanently when an attacker with a low privileged access uploads a specially crafted .svg file
Details
Camaleon CMS’s Media upload feature crashes permanently when an attacker with low privilege access uploads an .svg file
PoC Details
In a private window, create a sample account. Go to Profile, Change Photo and upload a crafted SVG file with contents such as given below.
Now in a normal window, login as an administrator user. Go to the Media tab on the right. We can see a crash which is permanent and no user can now upload any image nor change their picture.
PoC Code
<svg xmlns="http://www.w3.org/2000/svg"
xmlns:xlink="http://www.w3.org/1999/xlink">
</svg>
Affected Environments
Camaleon CMS versions 2.0.1 to 2.6.0
Prevention
Update to camaleon_cms version 2.6.0.1