Home > Vulnerability Database > CVE-2024-46987

Mend.io Vulnerability Database

CVE-2024-46987

Good to know:

Date: September 18, 2024

Camaleon CMS is a dynamic and advanced content management system based on Ruby on Rails. A path traversal vulnerability accessible via MediaController's download_private_file method allows authenticated users to download any file on the web server Camaleon CMS is running on (depending on the file permissions). This issue may lead to Information Disclosure. This issue has been addressed in release version 2.8.2. Users are advised to upgrade. There are no known workarounds for this vulnerability.

Language: Ruby

Severity Score

7.7

Related Resources (10)

Url: https://owasp.org/www-community/attacks/Path_Traversal

Url: https://www.reddit.com/r/rails/comments/1exwtdm/camaleon_cms_281_has_been_released

Url: https://codeql.github.com/codeql-query-help/ruby/rb-path-injection

Url: https://github.com/owen2345/camaleon-cms

Url: https://securitylab.github.com/advisories/GHSL-2024-182_GHSL-2024-186_Camaleon_CMS

Url: https://github.com/rubysec/ruby-advisory-db/blob/master/gems/camaleon_cms/CVE-2024-46987.yml

Url: https://github.com/owen2345/camaleon-cms/commit/071b1b09d6d61ab02a5960b1ccafd9d9c2155a3e

Url: https://nvd.nist.gov/vuln/detail/CVE-2024-46987

Url: https://github.com/owen2345/camaleon-cms/security/advisories/GHSA-cp65-5m9r-vc2c

Url: https://www.mend.io/vulnerability-database/CVE-2024-46987

Severity Score

7.7

Weakness Type (CWE)

Exposure of Sensitive Information to an Unauthorized Actor

CWE-200

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

CWE-22

Top Fix

Upgrade Version

Upgrade to version camaleon_cms - 2.8.1

Learn More

CVSS v3.1

Base Score:	7.7
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	LOW
User Interaction (UI):	NONE
Scope (S):	CHANGED
Confidentiality (C):	HIGH
Integrity (I):	NONE
Availability (A):	NONE

Mend.io Vulnerability Database

We found results for “”

CVE-2024-46987

Good to know:

Date: September 18, 2024

Language: Ruby

Severity Score

Related Resources (10)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?