CVE-2025-2304 – camaleon_cms

Package

Manager: gem
Name: camaleon_cms
Vulnerable Version: >=0 <2.9.1

Severity

Level: Critical

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:H/RL:U/RC:R

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

EPSS: 0.00187 pctl0.40776

Details

Camaleon CMS Vulnerable to Privilege Escalation through a Mass Assignment A Privilege Escalation through a Mass Assignment exists in Camaleon CMS When a user wishes to change his password, the 'updated_ajax' method of the UsersController is called. The vulnerability stems from the use of the dangerous permit! method, which allows all parameters to pass through without any filtering.

Metadata

Created: 2025-03-14T15:32:03Z
Modified: 2025-03-19T15:32:04Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/03/GHSA-rp28-mvq3-wf8j/GHSA-rp28-mvq3-wf8j.json
CWE IDs: ["CWE-915"]
Alternative ID: GHSA-rp28-mvq3-wf8j
Finding: F006
Auto approve: 1