Blog

May 22, 2025

CVE-2024-46986 – Arbitrary File Write in Camaleon CMS Leading to RCE

A vulnerability was discovered in Camaleon CMS authenticating attackers to write files on the file system which enabled them to execut remote code under certain conditions.

OffSec Team

3 min read

Overview

CVE-2024-46986 is a critical arbitrary file write vulnerability affecting Camaleon CMS versions prior to 2.8.2. The flaw allows authenticated attackers to write files to arbitrary paths on the file system due to improper input sanitization, enabling them to execute remote code under certain conditions.

CVE ID: CVE-2024-46986
Severity: Critical
CVSS Score: 9.9 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H)
EPSS Score: 86.38%
Published: September 18, 2024
Affected Versions: <= 2.8.2
Patched Version: 2.8.2+

Technical Breakdown

The vulnerability lies in the upload method of the MediaController, where the folder parameter is passed directly to file handling logic without proper path validation. By crafting a path using directory traversal sequences (../../), an attacker can break out of the intended upload directory and write malicious files anywhere within the web root—or worse, into Rails initializer paths like:

config/initializers/malicious.rb

If such a file is placed correctly, it will be executed upon the next application restart or reload, achieving full Remote Code Execution (RCE) with the web server’s privileges.

Conditions for Exploitation

Valid user credentials (authenticated low-priv user access)
Ability to upload a file (no restriction on file type)
File system permissions allowing write to target paths
Web server restart to trigger execution (if targeting Rails initializer)

Vulnerable Code Snippet

In this code, params[:folder] is directly passed to the upload_file method without sanitization. This oversight allows an authenticated attacker to manipulate the folder parameter to traverse directories and write files to arbitrary locations on the server, potentially leading to remote code execution.

def upload(settings = {})

params[:dimension] = nil if params[:skip_auto_crop].present?

f = { error: ‘File not found.’ }

if params[:file_upload].present?

f = upload_file(params[:file_upload],

{ folder: params[:folder], dimension: params[‘dimension’], formats: params[:formats], versions: params[:versions],

thumb_size: params[:thumb_size] }.merge(settings))

end

[…]

end

Exploitation Steps

A public PoC demonstrating this vulnerability is available at https://github.com/vidura2/CVE-2024-46986. The PoC automates the exploitation process by:

Authenticate: Log in to the Camaleon CMS instance with valid credentials.
Craft Malicious File: Prepare a Ruby script with malicious code.
Upload File: Use the vulnerable upload method to place the file into a sensitive directory, such as config/initializers/.
Trigger Execution: Restart the application or wait for a restart to occur, leading to the execution of the malicious code.

Mitigation

Upgrade: Update Camaleon CMS to version 2.8.2 or later, where this issue has been addressed.
Restrict Access: Limit access to the CMS to trusted users.
Monitor Logs: Regularly review server logs for suspicious activity.
Implement WAF: Use a Web Application Firewall to detect and block malicious requests.

There are no known workarounds for this vulnerability; upgrading is the recommended course of action.

References

Stay in the know: Become an OffSec Insider

Get the latest updates about resources, events & promotions from OffSec!

Latest from OffSec

Research & Tutorials