Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS14Nzh2LTRmdmotcmc5as4AArLe
Camaleon CMS Stored Cross-site Scripting vulnerability
In “Camaleon CMS” application, versions 0.0.1 through 2.6.0 are vulnerable to stored XSS, that allows unprivileged application users to store malicious scripts in the comments section of the post. These scripts are executed in a victim’s browser when they open the page containing the malicious comment.
Permalink: https://github.com/advisories/GHSA-x78v-4fvj-rg9jJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS14Nzh2LTRmdmotcmc5as4AArLe
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: almost 2 years ago
Updated: about 1 year ago
CVSS Score: 6.1
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Identifiers: GHSA-x78v-4fvj-rg9j, CVE-2021-25969
References:
- https://nvd.nist.gov/vuln/detail/CVE-2021-25969
- https://github.com/owen2345/camaleon-cms/commit/05506e9087bb05282c0bae6ccfe0283d0332ab3c
- https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-25969
- https://github.com/advisories/GHSA-x78v-4fvj-rg9j
Blast Radius: 7.8
Affected Packages
rubygems:camaleon_cms
Dependent packages: 7Dependent repositories: 19
Downloads: 258,756 total
Affected Version Ranges: >= 0.0.1, < 2.6.0.1
Fixed in: 2.6.0.1
All affected versions: 0.0.1, 0.0.2, 0.1.2, 0.1.3, 0.1.4, 0.1.5, 0.1.6, 0.1.7, 0.1.8, 0.1.9, 0.2.0, 0.2.1, 1.0.1, 1.0.2, 1.0.3, 1.0.4, 1.0.5, 1.0.6, 1.0.7, 1.0.8, 1.0.9, 1.1.0, 2.0.1, 2.0.2, 2.0.3, 2.0.4, 2.1.0, 2.1.1, 2.2.0, 2.2.1, 2.3.0, 2.3.1, 2.3.2, 2.3.3, 2.3.4, 2.3.5, 2.3.6, 2.3.7, 2.4.0, 2.4.1, 2.4.2, 2.4.3, 2.4.4, 2.4.5, 2.5.0, 2.5.1, 2.5.2, 2.5.3, 2.6.0, 2.6.1, 2.6.2, 2.6.3, 2.6.4, 2.7.0, 2.7.1, 2.7.2, 2.7.3, 2.7.4, 2.7.5
All unaffected versions: