cbcvebase.
CVE-2023-30145
published 2023-05-26

CVE-2023-30145: Camaleon CMS v2.7.0 was discovered to contain a Server-Side Template Injection (SSTI) vulnerability via the formats parameter.

PriorityP274critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
46.14%
98.7th percentile
Camaleon CMS v2.7.0 was discovered to contain a Server-Side Template Injection (SSTI) vulnerability via the formats parameter.

Affected

2 ranges
VendorProductVersion rangeFixed in
camaleon_cmscamaleon_cms>= 0 < 2.7.42.7.4
tuzitiocamaleon_cms<= 2.7.0

Detection & IOCsextracted from sources · hover to see the quote

url/admin/media/upload?actions=false
url/admin/media/upload?actions=true
commandformats=testtest (SSTI probe: evaluates 7*7 via template injection in formats parameter)
commandformats=testqopifdtest (SSTI RCE payload injected in formats parameter)
commandformats=dqopifdfdsf (SSTI RCE payload used to read /etc/passwd)
  • Monitor POST requests to /admin/media/upload containing template expression syntax (e.g., {{ }}, <%= %>, or similar) in the 'formats' multipart form-data field, which is the vulnerable parameter.
  • Alert on HTTP 200 responses to /admin/media/upload where the response body contains 'File format not allowed' followed by numeric output or command output (e.g., /etc/passwd content), indicating successful SSTI evaluation.
  • Detect multipart/form-data POST requests to /admin/media/upload where the 'formats' field contains template injection characters or arithmetic expressions rather than a legitimate file extension value.
  • The exploit uses X-Requested-With: XMLHttpRequest header alongside the malicious upload request; correlate this with anomalous 'formats' field values as a combined detection signal.
  • Response body leaking /etc/passwd content (e.g., 'root:x:0:0:root:/root:/bin/bash') within a 'File format not allowed (...)' message is a high-confidence indicator of successful SSTI RCE exploitation.
  • ·The vulnerability is confirmed in Camaleon CMS v2.7.0 and all versions below it; exploitation requires authenticated access to the admin panel (/admin/media/upload).
  • ·All versions below 2.7.0 are also affected, broadening the detection scope beyond just the 2.7.0 release.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.