CVE-2023-30145: GitHub - paragbagul111/CVE-2023-30145: Camaleon CMS v2.7.0 contain a Server-Side Template Injection (SSTI) vulnerability

Description:

Camaleon CMS v2.7.0 was discovered to contain a Server-Side Template Injection (SSTI) vulnerability via the formats parameter.

Affected Component:All versions that are below 2.7.0Fixed version:Fixed Versions: 2.7.4

Step to reproduce :****Detection:

1.open below URL:https://target.com/admin/media/upload

2.upload any file and intercept request in formats parameter value add this payload and testi<%= 77 %>vuuvm in response it will return multiplication of 77 with below message "File format not allowed (dqopi49vuuvm)"

Exploitation:

3.After that for execute command add this payload testqopi<%= File.open(‘/etc/passwd’).read %>fdtest

Attack Vector:

The attack vector for this vulnerability involves an attacker exploiting the unsanitized user input in the ‘formats’ parameter to inject malicious template directives, which can lead to Server-Side Template Injection (SSTI) attacks. The attacker can upload a file and intercept the request to modify the ‘formats’ parameter value with a payload that includes a template directive that executes arbitrary code. In this case, the attacker is using the ‘dqopi<%= File.open(‘/etc/passwd’).read %>fdfdsf’ payload to read the contents of the ‘/etc/passwd’ file on the server. This can allow the attacker to gain unauthorized access to sensitive information, and potentially take control of the server.

CVE Impact Other:SSTI vulnerabilities are serious and can lead to a complete compromise of the application’s data and functionality, and often of the server that is hosting the application. Attackers may also use the server as a platform for further attacks against other systems.

Vendor of Product:

Camaleon CMS

Confirmed on: 9 March 2023****Vendor:Camaleon-cms https://github.com/owen2345/camaleon-cmsDiscoverer:

Parag Bagul