Home > Vulnerability Database > CVE-2021-25972

Mend.io Vulnerability Database

CVE-2021-25972

Date: October 20, 2021

Overview

In Camaleon CMS, versions 2.1.2.0 to 2.6.0, are vulnerable to Server-Side Request Forgery (SSRF) in the media upload feature, which allows admin users to fetch media files from external URLs but fails to validate URLs referencing to localhost or other internal servers. This allows attackers to read files stored in the internal server.

Details

Camaleon CMS Media upload feature as shipped with Camaleon CMS versions 2.1.2.0 to 2.6.0 allows admin users to fetch media files from external URLs but fails to validate URLs referencing to localhost or other internal servers which may allow attackers to send requests and read responses from internal URLs via SSRF.

PoC Details

On the Camaleon machine, create a file called “lol.txt” in the home directory.
Now start a local python server.
In the Camaleon CMS application, login as an administrator user. Go to the Media tab on the right. Choose Upload from URL, enter the below URL and submit. We see that the file is uploaded from localhost and can be read in the Information pane or by accessing the url.

PoC Code

// Command to start the python server
sudo python3 -m http.server 80 --bind 127.0.0.1

// URL to submit:
http://127.0.0.1/lol.txt

Affected Environments

Camaleon CMS versions 2.1.2.0 to 2.6.0

Prevention

Update to camaleon_cms version 2.6.0.1

Language: Ruby

Good to know:

4.9

Server-Side Request Forgery (SSRF)

CWE-918

Upgrade Version

Upgrade to version camaleon_cms - 2.6.0.1

Learn More

CVSS v3.1
CVSS v2

Base Score:	4.9
Attack Vector (AV):	Network
Attack Complexity (AC):	Low
Privileges Required (PR):	High
User Interaction (UI):	None
Scope (S):	Unchanged
Confidentiality (C):	High
Integrity (I):	None
Availability (A):	None

Base Score:	4.0
Access Vector (AV):	Network
Access Complexity (AC):	Low
Authentication (AU):	Single
Confidentiality (C):	Partial
Integrity (I):	None
Availability (A):	None
Additional information: