Cyber Resilience

CVE-2024-46986

CriticalPublic PoC

Published: 18 September 2024

Published
18 September 2024
Modified
17 April 2025
KEV Added
Patch
CVSS Score v3.1 9.9 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
EPSS Score 0.9229 99.7th percentile
Risk Priority 75 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-46986 is a critical-severity Injection (CWE-74) vulnerability in Tuzitio Camaleon Cms. Its CVSS base score is 9.9 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 0.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

Camaleon CMS, a Ruby on Rails-based content management system, contains an arbitrary file write vulnerability in the upload method of MediaController. The flaw stems from insufficient path validation (CWE-22 and CWE-74) that permits an authenticated user to supply crafted file paths during media uploads, resulting in writes to arbitrary locations on the underlying filesystem subject to the web server process permissions.

An attacker with a low-privileged authenticated account can therefore place attacker-controlled Ruby files into sensitive directories such as config/initializers/. Because Rails automatically executes code in that folder on startup, the write can be leveraged for delayed remote code execution, giving the attacker full control over the application and potentially the host.

The vulnerability is fixed in Camaleon CMS release 2.8.2; the project advisory states there are no known workarounds and explicitly recommends immediate upgrade. The associated EPSS score stands at 0.9229.

EU & UK References

Vulnerability details

Camaleon CMS is a dynamic and advanced content management system based on Ruby on Rails. An arbitrary file write vulnerability accessible via the upload method of the MediaController allows authenticated users to write arbitrary files to any location on the…

more

web server Camaleon CMS is running on (depending on the permissions of the underlying filesystem). E.g. This can lead to a delayed remote code execution in case an attacker is able to write a Ruby file into the config/initializers/ subfolder of the Ruby on Rails application. This issue has been addressed in release version 2.8.2. Users are advised to upgrade. There are no known workarounds for this vulnerability.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1505.003 Web Shell Persistence
Adversaries may backdoor web servers with web shells to establish persistent access to systems.
Why these techniques?

Arbitrary file write via path injection in Camaleon CMS MediaController upload enables exploitation of public-facing web applications (T1190), remote code execution through uploaded web shells or equivalent malicious files (T1100), and persistence by modifying server software components like Ruby initializers (T1505.003).

Affected Assets

tuzitio
camaleon cms
≤ 2.8.2

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-74

Developer assessments and testing (including injection-focused techniques) identify improper neutralization of special elements, and the verifiable flaw remediation corrects them pre-deployment.

addresses: CWE-22

Validates pathnames and filenames to prevent traversal outside intended directories.

addresses: CWE-74

Identifies indicators of injection attacks (command, SQL, LDAP, etc.) via anomaly and attack monitoring.

References