/CVE-2023-30145

Camaleon CMS v2.7.0 contain a Server-Side Template Injection (SSTI) vulnerability

Description:

Camaleon CMS v2.7.0 was discovered to contain a Server-Side Template Injection (SSTI) vulnerability via the formats parameter.

Affected Component:

All versions that are below 2.7.0

Fixed version:

Fixed Versions: 2.7.4


Step to reproduce :

Detection:

1.open below URL:https://target.com/admin/media/upload

2.upload any file and intercept request in formats parameter value add this payload and testi<%= 77 %>vuuvm in response it will return multiplication of 77 with below message "File format not allowed (dqopi49vuuvm)"

Exploitation:

3.After that for execute command add this payload testqopi<%= File.open('/etc/passwd').read %>fdtest


poc


Attack Vector:

The attack vector for this vulnerability involves an attacker exploiting the unsanitized user input in the 'formats' parameter to inject malicious template directives, which can lead to Server-Side Template Injection (SSTI) attacks. The attacker can upload a file and intercept the request to modify the 'formats' parameter value with a payload that includes a template directive that executes arbitrary code. In this case, the attacker is using the 'dqopi<%= File.open('/etc/passwd').read %>fdfdsf' payload to read the contents of the '/etc/passwd' file on the server. This can allow the attacker to gain unauthorized access to sensitive information, and potentially take control of the server.

CVE Impact Other:

SSTI vulnerabilities are serious and can lead to a complete compromise of the application's data and functionality, and often of the server that is hosting the application. Attackers may also use the server as a platform for further attacks against other systems.

Vendor of Product:

Camaleon CMS

Confirmed on: 9 March 2023

Vendor:

Camaleon-cms https://github.com/owen2345/camaleon-cms

Discoverer:

Parag Bagul