CVE-2024-46987 HIGH

CVE-2024-46987: Arbitrary path traversal in Camaleon CMS

Vendor Owen2345
Product camaleon-cms
Weakness CWE-200 · Info exposure
Published September 18, 2024
Last update April 17, 2025

CVSS base score

7.7/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality High
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N

What the vulnerability does

01Description

Camaleon CMS is a dynamic and advanced content management system based on Ruby on Rails. A path traversal vulnerability accessible via MediaController's download_private_file method allows authenticated users to download any file on the web server Camaleon CMS is running on (depending on the file permissions). This issue may lead to Information Disclosure. This issue has been addressed in release version 2.8.2. Users are advised to upgrade. There are no known workarounds for this vulnerability.

Key dates

02Disclosure timeline

September 18, 2024 CVE published
April 17, 2025 Record updated