Name of the Vulnerable Software and Affected Versions Camaleon CMS (affected versions not specified)

Description A stored cross-site scripting issue has been found in the image upload functionality of Camaleon CMS. This allows normal registered users to upload SVG images or HTML documents containing malicious JavaScript, which can be executed when an authenticated user or administrator visits the uploaded content. This can lead to account takeover due to reflected Cross-site scripting (XSS). The issue can be exploited by uploading a crafted SVG image, such as test-xss.svg, which contains a script that executes when the image is accessed. The estimated number of potentially affected devices is not available.

Recommendations To resolve the issue, only allow the upload of safe files such as PNG, TXT, and others. Alternatively, serve all "unsafe" files such as SVG and other files with a content-disposition: attachment header, which should prevent browsers from displaying them. Additionally, consider implementing a Content Security Policy (CSP) that disallows inlined scripts. To prevent the theft of the auth token, mark it with HttpOnly. Consider using the authentication provided by Ruby on Rails to limit the usefulness of stolen tokens. As a temporary workaround, consider restricting access to the image upload functionality until a patch is available.