Moderate severityNVD Advisory· Published Oct 20, 2021· Updated Apr 30, 2025

Camaleon CMS - Server-Side Request Forgery (SSRF) in Media Upload Feature

CVE-2021-25972

Description

In Camaleon CMS, versions 2.1.2.0 to 2.6.0, are vulnerable to Server-Side Request Forgery (SSRF) in the media upload feature, which allows admin users to fetch media files from external URLs but fails to validate URLs referencing to localhost or other internal servers. This allows attackers to read files stored in the internal server.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Camaleon CMS 2.1.2.0 to 2.6.0 is vulnerable to SSRF via the media upload feature, allowing admin users to access internal server files.

Vulnerability

Camaleon CMS versions 2.1.2.0 through 2.6.0 contain a Server-Side Request Forgery (SSRF) vulnerability in the media upload feature. The feature allows admin users to fetch media files from external URLs but fails to validate URLs that point to localhost, 127.0.0.1, or other internal server addresses [1]. This lack of validation enables an attacker to craft requests that access internal network resources.

Exploitation

An attacker with admin-level privileges can exploit this vulnerability by using the media upload function to supply a URL targeting an internal server (e.g., http://localhost/config or http://127.0.0.1/secret). The server will fetch and store the file, making its content available to the attacker [1]. No additional user interaction is required beyond the attacker’s own admin session. The commit that fixes the issue shows the detection of various localhost representations, including hex, octal, and dword encodings [4].

Impact

Successful exploitation allows an attacker to read arbitrary files from the internal server, leading to information disclosure of sensitive data such as configuration files, database credentials, or other protected resources [1]. The attacker already possesses admin privileges but can now pivot within the internal network, increasing the scope of the compromise.

Mitigation

The vulnerability is fixed in Camaleon CMS version 2.6.0.1, as documented in the ruby-advisory-db [3]. The fix (commit 5a252d5) introduces a block on URLs matching localhost and its encoded variants [4]. Users should upgrade to the patched version immediately. If upgrading is not possible, administrators should avoid using the media upload feature with untrusted URLs or restrict access to the feature until the patch can be applied.

References

AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
camaleon_cmsRubyGems	>= 2.1.2.0, < 2.6.0.1	2.6.0.1

Affected products

ghsa-coords
pkg:gem/camaleon_cms
Range: >= 2.1.2.0, < 2.6.0.1
camaleon_cms/camaleon_cmsv5
Range: 2.1.2.0

Patches

5a252d537411

Disallow uploads from localhost

https://github.com/owen2345/camaleon-cmsBrian KephartOct 12, 2021via ghsa

commit

2 files changed · +19 −1

app/controllers/camaleon_cms/admin/media_controller.rb+18 −1 modified

@@ -4,6 +4,15 @@ class CamaleonCms::Admin::MediaController < CamaleonCms::AdminController
   skip_before_action :verify_authenticity_token, only: :upload, raise: false
   before_action :init_media_vars, except: :download_private_file
 
+  LOCALHOST_DOMAIN_MATCHER = %r{
+    localhost|
+    127\.0\.0\.1|
+    0\.0\.0\.0|
+    0x7f\.0x0\.0x0\.0x1| # hex encoding
+    0177\.0\.0\.01| # octal encoding
+    2130706433 # dword encoding
+  }x
+
   # render media section
   def index
     authorize! :manage, :media
@@ -67,7 +76,11 @@ def actions
         unless params[:url].start_with?('data:')
           params[:url] = (params[:url].start_with?('http') ? '' : current_site.the_url(locale: nil)) + params[:url]
         end
-        r = cama_tmp_upload( params[:url], formats: params[:formats], name: params[:name])
+        r = if local_url?(params[:url])
+              { error: t("camaleon_cms.admin.media.local_upload_denied") }
+            else
+              cama_tmp_upload( params[:url], formats: params[:formats], name: params[:name])
+            end
         unless r[:error].present?
           params[:file_upload] = r[:file_path]
           sett = {remove_source: true}
@@ -80,6 +93,10 @@ def actions
     end
   end
 
+  def local_url?(url)
+    url.try :match?, LOCALHOST_DOMAIN_MATCHER
+  end
+
   # upload files from media uploader
   def upload(settings = {})
     params[:dimension] = nil if params[:skip_auto_crop].present?

config/locales/camaleon_cms/admin/en.yml+1 −0 modified

@@ -212,6 +212,7 @@ en:
         reload: 'Reload'
         clear_cache: 'Clear Cache'
         name_required: 'File name is required'
+        local_upload_denied: 'Cannot upload from localhost'
       menus:
         menus: Menus
         link_url: 'Link URL'

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/advisories/GHSA-vx6p-q4gj-x6xxghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2021-25972ghsaADVISORY
github.com/owen2345/camaleon-cms/commit/5a252d537411fdd0127714d66c1d76069dc7e190ghsax_refsource_MISCWEB
github.com/rubysec/ruby-advisory-db/blob/master/gems/camaleon_cms/CVE-2021-25972.ymlghsaWEB
www.whitesourcesoftware.com/vulnerability-database/CVE-2021-25972ghsax_refsource_MISCWEB

News mentions

No linked articles in our index yet.

cvss	0.260
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000