CVE-2024-46986

See a problem?
Please try reporting it to the source first.
Source
https://nvd.nist.gov/vuln/detail/CVE-2024-46986
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-46986.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2024-46986
Aliases
Published
2024-09-18T17:14:09Z
Modified
2025-10-22T18:43:35.686Z
Severity
  • 9.9 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H CVSS Calculator
Summary
Arbitrary file write leading to RCE in Camaleon CMS
Details

Camaleon CMS is a dynamic and advanced content management system based on Ruby on Rails. An arbitrary file write vulnerability accessible via the upload method of the MediaController allows authenticated users to write arbitrary files to any location on the web server Camaleon CMS is running on (depending on the permissions of the underlying filesystem). E.g. This can lead to a delayed remote code execution in case an attacker is able to write a Ruby file into the config/initializers/ subfolder of the Ruby on Rails application. This issue has been addressed in release version 2.8.2. Users are advised to upgrade. There are no known workarounds for this vulnerability.

Database specific 
{
    "cwe_ids": [
        "CWE-74"
    ]
}
References

Affected packages

Git / github.com/owen2345/camaleon-cms

Affected ranges

Type
GIT
Repo
https://github.com/owen2345/camaleon-cms
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
b450c33929ed4f88ac40d8c59c3991da687d02a7

Affected versions

0.*

0.1.7
0.2.0

2.*

2.1.1
2.1.2
2.1.2.0
2.1.2.1
2.2.0
2.3.1
2.3.2
2.3.3
2.3.4
2.3.5
2.3.6
2.3.7
2.4.0
2.4.1
2.4.2
2.4.3
2.4.3.10
2.4.3.11
2.4.3.12
2.4.3.7
2.4.4
2.4.4.2
2.4.4.3
2.4.4.5
2.4.4.6
2.4.5
2.4.5.1
2.4.5.10
2.4.5.11
2.4.5.12
2.4.5.13
2.4.5.14
2.4.5.7
2.4.6.0
2.4.6.1
2.4.6.7
2.5.1
2.5.3
2.5.3.1
2.6.0
2.6.0.1
2.6.1
2.6.2
2.6.4
2.7.0
2.7.1
2.7.2
2.7.3
2.7.4
2.7.5
2.8.0
2.8.1

camaleon_cms-2.*

camaleon_cms-2.4.5.11.gem

v2.*

v2.0.0
v2.1.1.3