GHSA-vx6p-q4gj-x6xx

Suggest an improvement
Source
https://github.com/advisories/GHSA-vx6p-q4gj-x6xx
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-vx6p-q4gj-x6xx/GHSA-vx6p-q4gj-x6xx.json
JSON Data
https://api.test.osv.dev/v1/vulns/GHSA-vx6p-q4gj-x6xx
Aliases
Published
2022-05-24T19:18:04Z
Modified
2023-11-01T04:54:49.584732Z
Severity
  • 4.9 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N CVSS Calculator
Summary
Camaleon CMS vulnerable to Server-Side Request Forgery
Details

In Camaleon CMS, versions 2.1.2.0 through 2.6.0, are vulnerable to Server-Side Request Forgery (SSRF) in the media upload feature, which allows admin users to fetch media files from external URLs but fails to validate URLs referencing to localhost or other internal servers. This allows attackers to read files stored in the internal server.

Database specific
{
    "nvd_published_at": "2021-10-20T12:15:00Z",
    "github_reviewed_at": "2023-01-26T23:52:12Z",
    "severity": "MODERATE",
    "github_reviewed": true,
    "cwe_ids": [
        "CWE-918"
    ]
}
References

Affected packages

RubyGems / camaleon_cms

Package

Name
camaleon_cms
Purl
pkg:gem/camaleon_cms

Affected ranges

Type
ECOSYSTEM
Events
Introduced
2.1.2.0
Fixed
2.6.0.1

Affected versions

2.*

2.1.2.0
2.1.2.1
2.2.0
2.2.1
2.3.0
2.3.1
2.3.2
2.3.3
2.3.4
2.3.5
2.3.6
2.3.7
2.3.7.1
2.3.7.2
2.4.0
2.4.1
2.4.2
2.4.3
2.4.3.1
2.4.3.2
2.4.3.3
2.4.3.4
2.4.3.5
2.4.3.6
2.4.3.7
2.4.3.8
2.4.3.9
2.4.3.10
2.4.3.11
2.4.3.12
2.4.3.13
2.4.4
2.4.4.1
2.4.4.2
2.4.4.3
2.4.4.4
2.4.4.5
2.4.4.6
2.4.4.7
2.4.5
2.4.5.1
2.4.5.2
2.4.5.3
2.4.5.4
2.4.5.5
2.4.5.7
2.4.5.8
2.4.5.9
2.4.5.10
2.4.5.11
2.4.5.12
2.4.5.13
2.4.5.14
2.4.6.0
2.4.6.1
2.4.6.2
2.4.6.3
2.4.6.4
2.4.6.5
2.4.6.6
2.4.6.7
2.4.6.8
2.4.6.9
2.5.0
2.5.1
2.5.2
2.5.3
2.5.3.1
2.6.0