CVE-2018-18260

Vulnerability

In Camaleon CMS version 2.4, a stored cross-site scripting (XSS) vulnerability exists in the profile image upload functionality. The issue is triggered via the /admin/media/upload?actions=false endpoint, where an attacker can upload a malicious image containing JavaScript. The vulnerability is reported as stored XSS, meaning the malicious script persists and executes when the profile image is viewed [3].

Exploitation

An attacker must be authenticated as a user with access to the User settings section to upload a profile image. The attacker uploads a crafted image file containing embedded JavaScript. Upon successful upload, the script is stored and executed in the browsers of any users who view the attacker's profile or the affected image [3].

Impact

Successful exploitation allows an attacker to execute arbitrary JavaScript in the context of the victim's browser. This could lead to session hijacking, defacement, or theft of sensitive information, depending on the privileges of the victim [4].

Mitigation

As of the publication date, the vendor reports being unable to reproduce the issue and no official patch has been released. Users should consider upgrading to a newer version of Camaleon CMS if available, or restrict access to the profile image upload functionality through configuration or access controls [3][4].