GHSA-vx6p-q4gj-x6xx

Source

https://github.com/advisories/GHSA-vx6p-q4gj-x6xx

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-vx6p-q4gj-x6xx/GHSA-vx6p-q4gj-x6xx.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-vx6p-q4gj-x6xx

Aliases

CVE-2021-25972

Published

2022-05-24T19:18:04Z

Modified

2023-11-08T04:05:19.308567Z

Severity

4.9 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N CVSS Calculator

Summary

Camaleon CMS vulnerable to Server-Side Request Forgery

Details

In Camaleon CMS, versions 2.1.2.0 through 2.6.0, are vulnerable to Server-Side Request Forgery (SSRF) in the media upload feature, which allows admin users to fetch media files from external URLs but fails to validate URLs referencing to localhost or other internal servers. This allows attackers to read files stored in the internal server.

Database specific

{
    "nvd_published_at": "2021-10-20T12:15:00Z",
    "github_reviewed_at": "2023-01-26T23:52:12Z",
    "severity": "MODERATE",
    "github_reviewed": true,
    "cwe_ids": [
        "CWE-918"
    ]
}

References

Affected packages

RubyGems / camaleon_cms

Package

Name: camaleon_cms
Purl: pkg:gem/camaleon_cms

Affected ranges

Type: ECOSYSTEM
Events: Introduced

2.1.2.0

Fixed

2.6.0.1

Affected versions

2.*

2.1.2.0

2.1.2.1

2.2.0

2.2.1

2.3.0

2.3.1

2.3.2

2.3.3

2.3.4

2.3.5

2.3.6

2.3.7

2.3.7.1

2.3.7.2

2.4.0

2.4.1

2.4.2

2.4.3

2.4.3.1

2.4.3.2

2.4.3.3

2.4.3.4

2.4.3.5

2.4.3.6

2.4.3.7

2.4.3.8

2.4.3.9

2.4.3.10

2.4.3.11

2.4.3.12

2.4.3.13

2.4.4

2.4.4.1

2.4.4.2

2.4.4.3

2.4.4.4

2.4.4.5

2.4.4.6

2.4.4.7

2.4.5

2.4.5.1

2.4.5.2

2.4.5.3

2.4.5.4

2.4.5.5

2.4.5.7

2.4.5.8

2.4.5.9

2.4.5.10

2.4.5.11

2.4.5.12

2.4.5.13

2.4.5.14

2.4.6.0

2.4.6.1

2.4.6.2

2.4.6.3

2.4.6.4

2.4.6.5

2.4.6.6

2.4.6.7

2.4.6.8

2.4.6.9

2.5.0

2.5.1

2.5.2

2.5.3

2.5.3.1

2.6.0