cbcvebase.
CVE-2024-46986
published 2024-09-18

CVE-2024-46986: Camaleon CMS is a dynamic and advanced content management system based on Ruby on Rails. An arbitrary file write vulnerability accessible via the upload method…

PriorityP180critical9.9CVSS 3.1
AVNACLPRLUINSCCHIHAH
EXPLOIT
EPSS
35.46%
98.2th percentile
Camaleon CMS is a dynamic and advanced content management system based on Ruby on Rails. An arbitrary file write vulnerability accessible via the upload method of the MediaController allows authenticated users to write arbitrary files to any location on the web server Camaleon CMS is running on (depending on the permissions of the underlying filesystem). E.g. This can lead to a delayed remote code execution in case an attacker is able to write a Ruby file into the config/initializers/ subfolder of the Ruby on Rails application. This issue has been addressed in release version 2.8.2. Users are advised to upgrade. There are no known workarounds for this vulnerability.

Affected

3 ranges
VendorProductVersion rangeFixed in
camaleon_cmscamaleon_cms>= 2.8.0 < 2.8.12.8.1
owen2345camaleon-cms< 2.8.22.8.2
tuzitiocamaleon_cms< 2.8.22.8.2

Detection & IOCsextracted from sources · hover to see the quote

url/admin/media/upload?actions=false
path../../../config/initializers/
path../../../tmp/
filenamerestart.txt
  • Monitor for multipart file upload POST requests to /admin/media/upload containing a 'folder' field with path traversal sequences (e.g., '../../../') targeting sensitive Rails directories such as config/initializers/ or tmp/.
  • Detect upload of .rb (Ruby) files via the MediaController upload endpoint, especially when the destination folder parameter contains directory traversal sequences pointing to config/initializers/.
  • Alert on upload of a file named 'restart.txt' to the ../../../tmp/ path, which triggers a Rails application restart and causes deferred RCE from any previously written initializer.
  • Use Shodan/FOFA queries to identify exposed Camaleon CMS instances for proactive asset identification.
  • Detect DNS callback interactions (OOB) following a Ruby file upload to config/initializers/, which confirms RCE via the curl backtick payload pattern.
  • ·Exploitation requires authenticated access (low-privileged user). The vulnerability is in the 'folder' parameter of the media upload endpoint, which is not sanitized against path traversal. RCE is delayed until the Rails application restarts (triggered by writing restart.txt to tmp/).
  • ·RCE impact depends on filesystem permissions of the user running the Camaleon CMS process. The attack chain requires two upload requests: first to write a malicious .rb initializer, then to write restart.txt to tmp/ to trigger a reload.
  • ·Fixed in version 2.8.2. Versions prior to 2.8.1 are confirmed vulnerable per the Nuclei template classification.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.