Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1yOWNyLXFtZnctcG1yY84AA_rD
Camaleon CMS vulnerable to stored XSS through user file upload (GHSL-2024-184)
A stored cross-site scripting has been found in the image upload functionality that can be used by normal registered users: It is possible to upload a SVG image containing JavaScript and it's also possible to upload a HTML document when the format parameter is manually changed to documents or a string of an unsupported format. If an authenticated user or administrator visits that uploaded image or document malicious JavaScript can be executed on their behalf (e.g. changing or deleting content inside of the CMS.)
Proof of concept
Login as a normal user (if user signup is enabled).
Go to the user's profile.
And upload the following profile picture via drag and drop.
The content of the SVG file could be as follows (e.g. name it test-xss.svg):
Impact
This issue may lead to account takeover due to reflected Cross-site scripting (XSS).
Remediation
Only allow the upload of safe files such as PNG, TXT and others or serve all "unsafe" files such as SVG and other files with a content-disposition: attachment header, which should prevent browsers from displaying them.
Additionally, a Content security policy (CSP) can be created that disallows inlined script. (Other parts of the application might need modification to continue functioning.)
To prevent the theft of the auth_token it could be marked with HttpOnly. This would however not prevent that actions could be performed as the authenticated user/administrator. Furthermore, it could make sense to use the authentication provided by Ruby on Rails, so that stolen tokens cannot be used anymore after some time.
Permalink: https://github.com/advisories/GHSA-r9cr-qmfw-pmrcJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1yOWNyLXFtZnctcG1yY84AA_rD
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: about 1 month ago
Updated: about 1 month ago
CVSS Score: 5.4
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Identifiers: GHSA-r9cr-qmfw-pmrc
References:
- https://github.com/owen2345/camaleon-cms/security/advisories/GHSA-r9cr-qmfw-pmrc
- https://github.com/owen2345/camaleon-cms/commit/b18fbc74f3ecd98a1f781d015f5466ef16b1425b
- https://github.com/advisories/GHSA-r9cr-qmfw-pmrc
Blast Radius: 6.9
Affected Packages
rubygems:camaleon_cms
Dependent packages: 7Dependent repositories: 19
Downloads: 335,994 total
Affected Version Ranges: < 2.8.1
Fixed in: 2.8.1
All affected versions: 0.0.1, 0.0.2, 0.1.2, 0.1.3, 0.1.4, 0.1.5, 0.1.6, 0.1.7, 0.1.8, 0.1.9, 0.2.0, 0.2.1, 1.0.1, 1.0.2, 1.0.3, 1.0.4, 1.0.5, 1.0.6, 1.0.7, 1.0.8, 1.0.9, 1.1.0, 2.0.1, 2.0.2, 2.0.3, 2.0.4, 2.1.0, 2.1.1, 2.2.0, 2.2.1, 2.3.0, 2.3.1, 2.3.2, 2.3.3, 2.3.4, 2.3.5, 2.3.6, 2.3.7, 2.4.0, 2.4.1, 2.4.2, 2.4.3, 2.4.4, 2.4.5, 2.5.0, 2.5.1, 2.5.2, 2.5.3, 2.6.0, 2.6.1, 2.6.2, 2.6.3, 2.6.4, 2.7.0, 2.7.1, 2.7.2, 2.7.3, 2.7.4, 2.7.5, 2.8.0
All unaffected versions: 2.8.1, 2.8.2, 2.8.3