
We found results for “”
CVE-2021-25972
Date: October 20, 2021
Overview
In Camaleon CMS, versions 2.1.2.0 to 2.6.0, are vulnerable to Server-Side Request Forgery (SSRF) in the media upload feature, which allows admin users to fetch media files from external URLs but fails to validate URLs referencing to localhost or other internal servers. This allows attackers to read files stored in the internal server.Details
Camaleon CMS Media upload feature as shipped with Camaleon CMS versions 2.1.2.0 to 2.6.0 allows admin users to fetch media files from external URLs but fails to validate URLs referencing to localhost or other internal servers which may allow attackers to send requests and read responses from internal URLs via SSRF.PoC Details
On the Camaleon machine, create a file called “lol.txt” in the home directory.Now start a local python server.
In the Camaleon CMS application, login as an administrator user. Go to the Media tab on the right. Choose Upload from URL, enter the below URL and submit. We see that the file is uploaded from localhost and can be read in the Information pane or by accessing the url.
PoC Code
// Command to start the python server
sudo python3 -m http.server 80 --bind 127.0.0.1
// URL to submit:
http://127.0.0.1/lol.txt
Affected Environments
Camaleon CMS versions 2.1.2.0 to 2.6.0Prevention
Update to camaleon_cms version 2.6.0.1Language: Ruby
Good to know:

Base Score: |
|
---|---|
Attack Vector (AV): | Network |
Attack Complexity (AC): | Low |
Privileges Required (PR): | High |
User Interaction (UI): | None |
Scope (S): | Unchanged |
Confidentiality (C): | High |
Integrity (I): | None |
Availability (A): | None |
Base Score: |
|
---|---|
Access Vector (AV): | Network |
Access Complexity (AC): | Low |
Authentication (AU): | Single |
Confidentiality (C): | Partial |
Integrity (I): | None |
Availability (A): | None |
Additional information: |