Path Traversal (CVE‑2024‑46987) in Camaleon CMS 2.9.0 Exposes Arbitrary Files
What Happened — A publicly disclosed CVE‑2024‑46987 allows an attacker with a valid admin auth_token cookie to craft a GET request to the /admin/media/download_private_file endpoint and traverse directories (../../..) to read any file on the underlying server, including /etc/passwd. The vulnerability affects Camaleon CMS versions ≤ 2.9.0 on Linux deployments.
Why It Matters for TPRM —
- Third‑party web portals built on Camaleon may expose internal configuration files, credentials, or customer data.
- Exploitation can be leveraged for further lateral movement within a vendor’s environment, increasing supply‑chain risk.
- The flaw is easy to weaponize with a single request, making it attractive to opportunistic attackers.
Who Is Affected — SaaS platforms, corporate websites, and any organization that integrates Camaleon CMS (primarily TECH_SAAS and OTHER vendor types).
Recommended Actions —
- Verify whether any current vendors run Camaleon CMS ≤ 2.9.0.
- Require immediate patching to version 2.9.1 or later, or apply mitigations (e.g., block the vulnerable endpoint, enforce strict path validation).
- Conduct a file‑integrity review on affected systems to ensure no sensitive files have already been exfiltrated.
Technical Notes — The exploit requires a valid admin session (auth_token cookie) but does not need additional code execution. It abuses a directory‑traversal flaw in the private file download API, resulting in arbitrary file read. No CVE‑specific mitigations were disclosed beyond the vendor‑released patch. Source: Exploit‑DB 52531