GHSA-r9cr-qmfw-pmrc: Camaleon CMS allows stored XSS through user file upload (GHSL-2024-184)

September 18, 2024

A stored cross-site scripting has been found in the image upload functionality that can be used by normal registered users: It is possible to upload a SVG image containing JavaScript and it’s also possible to upload a HTML document when the format parameter is manually changed to documents or a string of an unsupported format. If an authenticated user or administrator visits that uploaded image or document malicious JavaScript can be executed on their behalf (e.g. changing or deleting content inside of the CMS).

References

github.com/advisories/GHSA-r9cr-qmfw-pmrc
github.com/owen2345/camaleon-cms
github.com/owen2345/camaleon-cms/commit/b18fbc74f3ecd98a1f781d015f5466ef16b1425b
github.com/owen2345/camaleon-cms/security/advisories/GHSA-r9cr-qmfw-pmrc

Code Behaviors & Features

Detect and mitigate GHSA-r9cr-qmfw-pmrc with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →