#auth

The [actions](https://github.com/owen2345/camaleon-cms/blob/feccb96e542319ed608acd3a16fa5d92f13ede67/app/controllers/camaleon_cms/admin/media_controller.rb#L51-L52) defined inside of the MediaController class do not check whether a given path is inside a certain path (e.g. inside the media folder). If an attacker performed an account takeover of an administrator account (See: GHSL-2024-184) they could delete arbitrary files or folders on the server hosting Camaleon CMS. The [crop_url](https://github.com/owen2345/camaleon-cms/blob/feccb96e542319ed608acd3a16fa5d92f13ede67/app/controllers/camaleon_cms/admin/media_controller.rb#L64-L65) action might make arbitrary file writes (similar impact to GHSL-2024-182) for any authenticated user possible, but it doesn't seem to work currently. Arbitrary file deletion can be exploited with following code path: The parameter folder flows from the actions method: ```ruby def actions authorize! :manage, :media if params[:media_action] != 'crop_ur...

A stored cross-site scripting has been found in the image upload functionality that can be used by normal registered users: It is possible to upload a SVG image containing JavaScript and it's also possible to upload a HTML document when the format parameter is manually changed to [documents](https://github.com/owen2345/camaleon-cms/blob/feccb96e542319ed608acd3a16fa5d92f13ede67/app/uploaders/camaleon_cms_uploader.rb#L105-L106) or a string of an [unsupported format](https://github.com/owen2345/camaleon-cms/blob/feccb96e542319ed608acd3a16fa5d92f13ede67/app/uploaders/camaleon_cms_uploader.rb#L110-L111). If an authenticated user or administrator visits that uploaded image or document malicious JavaScript can be executed on their behalf (e.g. changing or deleting content inside of the CMS.) Proof of concept Login as a normal user (if user signup is enabled). Go to the user's profile. And upload the following profile picture via drag and drop. The content of the SVG file could be as follows ...

A path traversal vulnerability accessible via MediaController's download_private_file method allows authenticated users to download any file on the web server Camaleon CMS is running on (depending on the file permissions). In the [download_private_file](https://github.com/owen2345/camaleon-cms/blob/feccb96e542319ed608acd3a16fa5d92f13ede67/app/controllers/camaleon_cms/admin/media_controller.rb#L28) method: ```ruby def download_private_file cama_uploader.enable_private_mode! file = cama_uploader.fetch_file("private/#{params[:file]}") send_file file, disposition: 'inline' end ``` The file parameter is passed to the [fetch_file](https://github.com/owen2345/camaleon-cms/blob/feccb96e542319ed608acd3a16fa5d92f13ede67/app/uploaders/camaleon_cms_local_uploader.rb#L27) method of the CamaleonCmsLocalUploader class (when files are uploaded locally): ```ruby def fetch_file(file_name) raise ActionController::RoutingError, 'File not found' unless file_exists?(file_name) file_name end ``...

A server misconfiguration exposed a trove of documents belonging to FleetPanda, a leading petroleum and fuel industry software…

An arbitrary code execution vulnerability exists in versions 0.2.9 up to 0.5.10 of the Guardrails AI Guardrails framework because of the way it validates XML files. If a victim user loads a maliciously crafted XML file containing Python code, the code will be passed to an eval function, causing it to execute on the user's machine.

Insecure deserialization in sqlitedict up to v2.1.0 allows attackers to execute arbitrary code.

An issue was discovered in CoreDNS through 1.10.1. There is a vulnerability in DNS resolving software, which triggers a resolver to ignore valid responses, thus causing denial of service for normal resolution. In an exploit, the attacker could just forge a response targeting the source port of a vulnerable resolver without the need to guess the correct TXID.

An arbitrary file write vulnerability accessible via the upload method of the MediaController allows authenticated users to write arbitrary files to any location on the web server Camaleon CMS is running on (depending on the permissions of the underlying filesystem). E.g. This can lead to a delayed remote code execution in case an attacker is able to write a Ruby file into the config/initializers/ subfolder of the Ruby on Rails application. Once a user upload is started via the [upload](https://github.com/owen2345/camaleon-cms/blob/feccb96e542319ed608acd3a16fa5d92f13ede67/app/controllers/camaleon_cms/admin/media_controller.rb#L86-L87) method, the file_upload and the folder parameter ```ruby def upload(settings = {}) params[:dimension] = nil if params[:skip_auto_crop].present? f = { error: 'File not found.' } if params[:file_upload].present? f = upload_file(params[:file_upload], { folder: params[:folder], dimension: params['dimension'], formats: params[:fo...

Backdoor.Win32.CCInvader.10 malware suffers from a bypass vulnerability.

Backdoor.Win32.BlackAngel.13 malware suffers from a code execution vulnerability.