Privilege Escalation Flaw in Camaleon CMS
CVE-2025-2304

9.4CRITICAL

Key Information:

Vendor: Owen2345
Status: Camaleon-cms
Vendor: CVE Published:; 14 March 2025

Summary

A critical issue in Camaleon CMS's UsersController, specifically in the 'updated_ajax' method, enables privilege escalation due to the improper handling of parameters. The vulnerability arises from the use of the permit! method, which fails to filter input, allowing all parameters to be processed without validation. This can result in unauthorized changes to user permissions, posing significant security risks.

Affected Version(s)

camaleon-cms 0

References

https://www.tenable.com/security/research/tra-2025-09

https://github.com/owen2345/camaleon-cms

CVSS V4

Score:

9.4

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Timeline

Vulnerability published
Mar 14, 2025
Vulnerability Reserved
Mar 14, 2025