CVE-2024-46987
published 2024-09-18CVE-2024-46987: Camaleon CMS is a dynamic and advanced content management system based on Ruby on Rails. A path traversal vulnerability accessible via MediaController's…
PriorityP261high7.7CVSS 3.1
AVNACLPRLUINSCCHINAN
EXPLOIT
EPSS
14.56%
96.2th percentile
Camaleon CMS is a dynamic and advanced content management system based on Ruby on Rails. A path traversal vulnerability accessible via MediaController's download_private_file method allows authenticated users to download any file on the web server Camaleon CMS is running on (depending on the file permissions). This issue may lead to Information Disclosure. This issue has been addressed in release version 2.8.2. Users are advised to upgrade. There are no known workarounds for this vulnerability.
Affected
5 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| camaleon_cms | camaleon_cms | >= 0 < 2.8.1 | 2.8.1 |
| camaleon_cms | camaleon_cms | 2.4.5.0 – 2.9.1 | — |
| owen2345 | camaleon_cms | 2.4.5.0 – 2.9.0 | — |
| tuzitio | camaleon_cms | 2.4.5 – 2.9.0 | — |
| tuzitio | camaleon_cms | >= 2.8.0 < 2.8.2 | 2.8.2 |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor HTTP requests to the download_private_file endpoint for directory traversal sequences (e.g., '../') in the 'file' parameter, particularly on deployments using the CamaleonCmsAwsUploader backend. ↗
- →Any authenticated user (including low-privileged registered users) can exploit this vulnerability — do not restrict detection scope to admin sessions. ↗
- →A public Metasploit auxiliary module (gather/camaleon_download_private_file) and an Exploit-DB PoC (52531) exist for this CVE; expect automated exploitation attempts against Camaleon CMS instances. ↗
- ·The path traversal bypass only affects deployments using the AWS S3 storage backend (CamaleonCmsAwsUploader). Deployments using the local uploader are protected by the existing valid_folder_path? check and are not vulnerable to this specific bypass. ↗
- ·This issue is a bypass of the incomplete fix for CVE-2024-46987 and affects Camaleon CMS versions 2.4.5.0 through 2.9.0, prior to commit f54a77e. ↗
- ·The Metasploit module targets Camaleon CMS versions <= 2.8.0 and 2.9.0 specifically; version scoping should be applied when triaging alerts. ↗
CVSS provenance
nvdv3.17.7HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
ghsa7.7HIGH
osv7.7HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Camaleon CMS vulnerable to Path Traversal through AWS S3 uploader implementation
ghsa·2026-03-10·CVSS 7.7
CVE-2026-1776 [HIGH] CWE-22 Camaleon CMS vulnerable to Path Traversal through AWS S3 uploader implementation
Camaleon CMS vulnerable to Path Traversal through AWS S3 uploader implementation
Camaleon CMS versions 2.4.5.0 through 2.9.1, prior to commit f54a77e, contain a path traversal vulnerability in the AWS S3 uploader implementation that allows authenticated users to read arbitrary files from the web server’s filesystem. The issue occurs in the download_private_file functionality when the application is configured to use the CamaleonCmsAwsUploader backend. Unlike the local uploader implementation, the AWS uploader does not validate file paths with valid_folder_path?, allowing directory traversal sequences to be supplied via the file parameter. As a result, any authenticated user, including low-privileged registered users, can access sensitive files such as /etc/passwd. This issue represents a
OSV
Camaleon CMS vulnerable to Path Traversal through AWS S3 uploader implementation
osv·2026-03-10·CVSS 7.7
CVE-2026-1776 [HIGH] Camaleon CMS vulnerable to Path Traversal through AWS S3 uploader implementation
Camaleon CMS vulnerable to Path Traversal through AWS S3 uploader implementation
Camaleon CMS versions 2.4.5.0 through 2.9.1, prior to commit f54a77e, contain a path traversal vulnerability in the AWS S3 uploader implementation that allows authenticated users to read arbitrary files from the web server’s filesystem. The issue occurs in the download_private_file functionality when the application is configured to use the CamaleonCmsAwsUploader backend. Unlike the local uploader implementation, the AWS uploader does not validate file paths with valid_folder_path?, allowing directory traversal sequences to be supplied via the file parameter. As a result, any authenticated user, including low-privileged registered users, can access sensitive files such as /etc/passwd. This issue represents a
OSV
Camaleon CMS vulnerable to arbitrary path traversal (GHSL-2024-183)
osv·2024-09-18
CVE-2024-46987 [HIGH] Camaleon CMS vulnerable to arbitrary path traversal (GHSL-2024-183)
Camaleon CMS vulnerable to arbitrary path traversal (GHSL-2024-183)
A path traversal vulnerability accessible via MediaController's download_private_file method allows authenticated users to download any file on the web server Camaleon CMS is running on (depending on the file permissions).
In the [download_private_file](https://github.com/owen2345/camaleon-cms/blob/feccb96e542319ed608acd3a16fa5d92f13ede67/app/controllers/camaleon_cms/admin/media_controller.rb#L28) method:
```ruby
def download_private_file
cama_uploader.enable_private_mode!
file = cama_uploader.fetch_file("private/#{params[:file]}")
send_file file, disposition: 'inline'
end
```
The file parameter is passed to the [fetch_file](https://github.com/owen2345/camaleon-cms/blob/feccb96e542319ed608acd3a16fa5d92f13ede67/app/uplo
GHSA
Camaleon CMS vulnerable to arbitrary path traversal (GHSL-2024-183)
ghsa·2024-09-18
CVE-2024-46987 [HIGH] CWE-200 Camaleon CMS vulnerable to arbitrary path traversal (GHSL-2024-183)
Camaleon CMS vulnerable to arbitrary path traversal (GHSL-2024-183)
A path traversal vulnerability accessible via MediaController's download_private_file method allows authenticated users to download any file on the web server Camaleon CMS is running on (depending on the file permissions).
In the [download_private_file](https://github.com/owen2345/camaleon-cms/blob/feccb96e542319ed608acd3a16fa5d92f13ede67/app/controllers/camaleon_cms/admin/media_controller.rb#L28) method:
```ruby
def download_private_file
cama_uploader.enable_private_mode!
file = cama_uploader.fetch_file("private/#{params[:file]}")
send_file file, disposition: 'inline'
end
```
The file parameter is passed to the [fetch_file](https://github.com/owen2345/camaleon-cms/blob/feccb96e542319ed608acd3a16fa5d92f13ede67/app/uplo
No detection rules found.
Exploit-DB
Camaleon CMS v2.9.0 - Path Traversal
exploitdb·2026-04-30·CVSS 7.7
CVE-2024-46987 [HIGH] Camaleon CMS v2.9.0 - Path Traversal
Camaleon CMS v2.9.0 - Path Traversal
---
# Exploit Title: Camaleon CMS v2.9.0 - Path Traversal
# Date: 2026-02-02
# Exploit Author: Sakshi Velampudi (CyberQuestor)
# Vendor Homepage: https://github.com/owen2345/camaleon-cms
# Software Link: https://github.com/owen2345/camaleon-cms/releases/tag/2.9.0
# Version: 3000:
print("\n...output truncated...")
raise SystemExit(0)
# Other failure conditions
print("\n[!] Request failed.")
if response.status_code == 500:
print("[!] The file path may be invalid, or the server encountered an internal error.")
print(f"[i] Response length: {len(response.content)} bytes")
raise SystemExit(1)
Metasploit
Camaleon CMS Directory Traversal CVE-2024-46987
metasploit
CVE-2024-46987 Camaleon CMS Directory Traversal CVE-2024-46987
Camaleon CMS Directory Traversal CVE-2024-46987
Exploits CVE-2024-46987, an authenticated directory traversal vulnerability in Camaleon CMS versions <= 2.8.0 and 2.9.0
Rapid7
Metasploit Wrap-Up 04/25/2026
blogs_rapid7·2026-04-24·CVSS 7.7
CVE-2024-46987 [HIGH] Metasploit Wrap-Up 04/25/2026
## Check Method Visibility
Metasploit has supported check methods for many years now. It’s not always desirable to jump straight into exploiting a vulnerability but instead to determine if the target is vulnerable. Metasploit tries to be very conservative with classifying a target as “vulnerable” unless the vulnerability is leveraged as part of the check method, reserving the “appears” status for version checks. The different check codes a module is capable of returning and the logic to select among them varies from exploit to exploit and is not always the easiest to understand. Aligning with the consistent feedback that Metasploit has received that module actions should be more transparent, adfoster-r7 has been adding reasoning information en masse to the check codes returned by a variet
Wiz
CVE-2026-1776 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.7
CVE-2026-1776 [HIGH] CVE-2026-1776 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-1776 :
Ruby vulnerability analysis and mitigation
Camaleon CMS versions 2.4.5.0 through 2.9.0, prior to commit f54a77e, contain a path traversal vulnerability in the AWS S3 uploader implementation that allows authenticated users to read arbitrary files from the web server’s filesystem. The issue occurs in the download_private_file functionality when the application is configured to use the CamaleonCmsAwsUploader backend. Unlike the local uploader implementation, the AWS uploader does not validate file paths with valid_folder_path?, allowing directory traversal sequences to be supplied via the file parameter. As a result, any authenticated user, including low-privileged registered users, can access sensitive files such as /etc/passwd. This issue represents a bypass of the inco
https://codeql.github.com/codeql-query-help/ruby/rb-path-injectionhttps://github.com/owen2345/camaleon-cms/security/advisories/GHSA-cp65-5m9r-vc2chttps://owasp.org/www-community/attacks/Path_Traversalhttps://securitylab.github.com/advisories/GHSL-2024-182_GHSL-2024-186_Camaleon_CMShttps://www.reddit.com/r/rails/comments/1exwtdm/camaleon_cms_281_has_been_released
2024-09-18
Published