Login Sign Up

CVE-2024-46986

9.9 CRITICAL
Remote Code Execution Path Traversal

📋 TL;DR

CVE-2024-46986 is an arbitrary file write vulnerability in Camaleon CMS that allows authenticated users to write files to any location on the web server. This can lead to remote code execution if attackers write malicious Ruby files to the Rails initializers folder. All Camaleon CMS installations before version 2.8.2 are affected.

💻 Affected Systems

Products:
  • Camaleon CMS
Versions: All versions before 2.8.2
Operating Systems: All operating systems running Camaleon CMS
Default Config Vulnerable: ⚠️ Yes
Notes: Requires authenticated user access. The vulnerability is in the MediaController upload method.

📦 What is this software?

Camaleon Cms by Tuzitio

View all CVEs affecting Camaleon Cms →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full server compromise via remote code execution leading to data theft, lateral movement, and complete system control.

🟠

Likely Case

Webshell deployment leading to data exfiltration, defacement, or cryptocurrency mining.

🟢

If Mitigated

Limited file system damage if proper file permissions restrict write access to critical directories.

🌐 Internet-Facing: HIGH - Web applications are directly accessible and authenticated users can exploit this vulnerability.
🏢 Internal Only: MEDIUM - Internal attackers with valid credentials can still exploit, but external attack surface is reduced.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires authenticated access but is straightforward once credentials are obtained. Path traversal techniques can be used to write files to arbitrary locations.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.8.2

Vendor Advisory: https://github.com/owen2345/camaleon-cms/security/advisories/GHSA-wmjg-vqhv-q5p5

Restart Required: Yes

Instructions:

1. Backup your Camaleon CMS installation and database. 2. Update Gemfile to specify 'gem "camaleon_cms", "~> 2.8.2"'. 3. Run 'bundle update camaleon_cms'. 4. Restart the Rails application server.

🔧 Temporary Workarounds

No official workarounds

all

The vendor states there are no known workarounds for this vulnerability.

🧯 If You Can't Patch

  • Restrict file system permissions to prevent writing to config/initializers/ and other sensitive directories
  • Implement strict access controls and monitor for suspicious file upload activities

🔍 How to Verify

Check if Vulnerable:

Check Camaleon CMS version in Gemfile.lock or via Rails console: CamaleonCms::VERSION

Check Version:

grep -A1 "camaleon_cms" Gemfile.lock | grep version

Verify Fix Applied:

Verify version is 2.8.2 or higher and test file upload functionality with path traversal attempts.

📡 Detection & Monitoring

Log Indicators:

  • Unusual file upload patterns
  • Path traversal strings in upload requests
  • File writes to config/initializers/ directory

Network Indicators:

  • POST requests to media upload endpoints with directory traversal payloads

SIEM Query:

source="web_logs" AND (uri_path="/admin/media/upload" OR uri_path="/media/upload") AND (request_body CONTAINS "../" OR request_body CONTAINS "..\\")

📊 Metadata

CVE ID: CVE-2024-46986
CVSS v3 Score: 9.9 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
CWE: CWE-74
Published: September 18, 2024
Last Updated: April 17, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-46986, you might also want to check these:

CVE-2026-25520 10.0

SandboxJS versions before 0.8.29 have a critical sandbox escape vulnerability that allows attackers ...

Same vulnerability type (CWE-74)
CVE-2026-25586 10.0

This CVE describes a sandbox escape vulnerability in SandboxJS library versions before 0.8.29. Attac...

Same vulnerability type (CWE-74)
CVE-2025-20281 10.0

An unauthenticated remote code execution vulnerability in Cisco ISE and ISE-PIC API allows attackers...

Same vulnerability type (CWE-74)