CVE-2021-25972 – camaleon_cms

Package

Manager: gem
Name: camaleon_cms
Vulnerable Version: >=2.1.2.0 <2.6.0.1

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00324 pctl0.54795

Details

Camaleon CMS vulnerable to Server-Side Request Forgery In Camaleon CMS, versions 2.1.2.0 through 2.6.0, are vulnerable to Server-Side Request Forgery (SSRF) in the media upload feature, which allows admin users to fetch media files from external URLs but fails to validate URLs referencing to localhost or other internal servers. This allows attackers to read files stored in the internal server.

Metadata

Created: 2022-05-24T19:18:04Z
Modified: 2023-01-26T23:52:12Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-vx6p-q4gj-x6xx/GHSA-vx6p-q4gj-x6xx.json
CWE IDs: ["CWE-918"]
Alternative ID: GHSA-vx6p-q4gj-x6xx
Finding: F100
Auto approve: 1