Texpert

**Name of the Vulnerable Software and Affected Versions** Camaleon CMS versions prior to 2.8.2 **Description** An arbitrary file write vulnerability accessible via the upload method of the MediaController allows authenticated users to write arbitrary files to any location on the web server Camaleon CMS is running on, depending on the permissions of the underlying filesystem. This can lead to a delayed remote code execution in case an attacker is able to write a Ruby file into the config/initializers/ subfolder of the Ruby on Rails application. The issue is caused by the `upload` method in the MediaController, which passes the `folder` parameter to the `upload file` method without proper validation, allowing an attacker to write files to arbitrary locations. The `folder` parameter is passed unchecked to the Cama uploader, which uses it to write the file to the file system. The vulnerability can be exploited by sending a crafted request to the `/admin/media/upload` endpoint with a malicious `folder` parameter. **Recommendations** To resolve the issue, update to version 2.8.2 or later. As a temporary workaround, consider restricting access to the `upload` method in the MediaController to prevent authenticated users from writing arbitrary files to the web server. Additionally, normalize file paths constructed from untrusted user input before using them and check that the resulting path is inside the targeted directory. Do not allow character sequences such as .. in untrusted input that is used to build paths.