CVE-2024-46987
moderate-risk
Published 2024-09-18
Camaleon CMS is a dynamic and advanced content management system based on Ruby on Rails. A path traversal vulnerability accessible via MediaController's download_private_file method allows authenticated users to download any file on the web server Camaleon CMS is running on (depending on the file permissions). This issue may lead to Information Disclosure. This issue has been addressed in release version 2.8.2. Users are advised to upgrade. There are no known workarounds for this vulnerability.
Do I need to act?
-
0.17% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
7
CVSS 7.7/10
High
NETWORK
/ LOW complexity
Affected Products (1)
Affected Vendors
References (5)
Third Party Advisory
https://codeql.github.com/codeql-query-help/ruby/rb-path-injection
Issue Tracking
https://owasp.org/www-community/attacks/Path_Traversal
33
/ 100
moderate-risk
Severity
27/34 · High
Exploitability
1/34 · Minimal
Exposure
5/34 · Minimal