CVE-2024-46987

Name of the Vulnerable Software and Affected Versions Camaleon CMS versions prior to 2.8.2

Description A path traversal vulnerability accessible via MediaController's download private file method allows authenticated users to download any file on the web server Camaleon CMS is running on, depending on the file permissions. This issue may lead to Information Disclosure. The vulnerable download private file method is used to download private files, and the file parameter is passed to the fetch file method of the CamaleonCmsLocalUploader class. The issue can be exploited by visiting a URL such as https://<camaleon-host>/admin/media/download private file?file=../../../../../../etc/passwd to download the /etc/passwd file.

Recommendations For versions prior to 2.8.2, upgrade to release version 2.8.2 to address the issue. As a temporary workaround, consider normalizing file paths constructed from untrusted user input before using them and checking that the resulting path is inside the targeted directory. Additionally, do not allow character sequences such as .. in untrusted input that is used to build paths. Restrict access to the download private file method to minimize the risk of exploitation.