CVE-2018-18260

Name of the Vulnerable Software and Affected Versions Camaleon CMS version 2.4

Description A Stored XSS issue has been discovered in Camaleon CMS. The profile image in the User settings section can be exploited in the update/upload area via the "admin/media/upload?actions=false" endpoint. The vendor reports being unable to reproduce the issue on any version.

Recommendations For Camaleon CMS version 2.4, as a temporary workaround, consider restricting access to the /admin/media/upload?actions=false endpoint until a patch is available. Avoid using the profile image upload feature in the User settings section to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this issue.