Name of the Vulnerable Software and Affected Versions Camaleon CMS (affected versions not specified)

Description The issue concerns a path traversal vulnerability in the MediaController class. An attacker who has taken over an administrator account could delete arbitrary files or folders on the server hosting Camaleon CMS. The vulnerability is exploited through the actions method, where the folder parameter flows into the delete file method of the CamaleonCmsLocalUploader class, allowing for unchecked deletion of files. A proof of concept demonstrates how an attacker could delete a file, such as README.md, in the top folder of the Ruby on Rails application. This issue may lead to a defective CMS or system.

Recommendations To resolve the issue, normalize all file paths constructed from untrusted user input before using them and check that the resulting path is inside the targeted directory. Additionally, do not allow character sequences such as .. in untrusted input that is used to build paths. As a temporary workaround, consider restricting access to the delete file method of the CamaleonCmsLocalUploader class to minimize the risk of exploitation.