GHSA-rp28-mvq3-wf8j
Suggest an improvement- Source
- https://github.com/advisories/GHSA-rp28-mvq3-wf8j
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/03/GHSA-rp28-mvq3-wf8j/GHSA-rp28-mvq3-wf8j.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-rp28-mvq3-wf8j
- Aliases
-
- CVE-2025-2304
- Published
- 2025-03-14T15:32:03Z
- Modified
- 2025-03-19T15:46:58.677792Z
- Severity
-
- 9.4 (Critical) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H CVSS Calculator
- Summary
- Camaleon CMS Vulnerable to Privilege Escalation through a Mass Assignment
- Details
-
A Privilege Escalation through a Mass Assignment exists in Camaleon CMS
When a user wishes to change his password, the 'updated_ajax' method of the UsersController is called. The vulnerability stems from the use of the dangerous permit! method, which allows all parameters to pass through without any filtering.
- Database specific
{ "nvd_published_at": "2025-03-14T13:15:41Z", "cwe_ids": [ "CWE-915" ], "severity": "CRITICAL", "github_reviewed": true, "github_reviewed_at": "2025-03-17T14:34:48Z" }- References
-
- https://nvd.nist.gov/vuln/detail/CVE-2025-2304
- https://github.com/owen2345/camaleon-cms/pull/1109
- https://github.com/owen2345/camaleon-cms/commit/179fd6b1ecf258d3e214aebfa87ac4a322ea4db4
- https://github.com/owen2345/camaleon-cms
- https://github.com/owen2345/camaleon-cms/releases/tag/2.9.1
- https://github.com/rubysec/ruby-advisory-db/blob/master/gems/camaleon_cms/CVE-2025-2304.yml
- https://www.tenable.com/security/research/tra-2025-09
Affected packages
RubyGems / camaleon_cms
Package
- Name
- camaleon_cms
- Purl
- pkg:gem/camaleon_cms
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed2.9.1
Affected versions
0.*
0.0.1
0.0.2
0.1.2
0.1.3
0.1.4
0.1.5
0.1.6
0.1.7
0.1.8
0.1.9
0.2.0
0.2.1
1.*
1.0
1.0.1
1.0.2
1.0.3
1.0.4
1.0.5
1.0.6
1.0.7
1.0.8
1.0.9
1.1.0
2.*
2.0.1
2.0.2
2.0.3
2.0.4
2.0.4.1
2.1.0
2.1.1
2.1.1.4
2.1.2.0
2.1.2.1
2.2.0
2.2.1
2.3.0
2.3.1
2.3.2
2.3.3
2.3.4
2.3.5
2.3.6
2.3.7
2.3.7.1
2.3.7.2
2.4.0
2.4.1
2.4.2
2.4.3
2.4.3.1
2.4.3.2
2.4.3.3
2.4.3.4
2.4.3.5
2.4.3.6
2.4.3.7
2.4.3.8
2.4.3.9
2.4.3.10
2.4.3.11
2.4.3.12
2.4.3.13
2.4.4
2.4.4.1
2.4.4.2
2.4.4.3
2.4.4.4
2.4.4.5
2.4.4.6
2.4.4.7
2.4.5
2.4.5.1
2.4.5.2
2.4.5.3
2.4.5.4
2.4.5.5
2.4.5.7
2.4.5.8
2.4.5.9
2.4.5.10
2.4.5.11
2.4.5.12
2.4.5.13
2.4.5.14
2.4.6.0
2.4.6.1
2.4.6.2
2.4.6.3
2.4.6.4
2.4.6.5
2.4.6.6
2.4.6.7
2.4.6.8
2.4.6.9
2.5.0
2.5.1
2.5.2
2.5.3
2.5.3.1
2.6.0
2.6.0.1
2.6.1
2.6.2
2.6.3
2.6.4
2.7.0
2.7.1
2.7.2
2.7.3
2.7.4
2.7.5
2.8.0
2.8.1
2.8.2
2.8.3
2.9.0