Michael Loomis

**Name of the Vulnerable Software and Affected Versions** Camaleon CMS versions 2.4.5.0 through 2.9.0 **Description** Camaleon CMS versions 2.4.5.0 through 2.9.0, prior to commit f54a77e, have a path traversal issue in the AWS S3 uploader implementation. Authenticated users can read arbitrary files from the web server’s filesystem. The issue is present in the `download private file` functionality when using the CamaleonCmsAwsUploader backend. The application does not validate file paths, allowing directory traversal sequences through the `file` parameter. This allows any authenticated user to access sensitive files, such as `/etc/passwd`. This is a bypass of a previous fix. **Recommendations** Update Camaleon CMS to a version prior to 2.9.0 that includes commit f54a77e.