CVE-2024-48652

Vulnerability

Description Camaleon CMS version 2.7.5 contains a stored Cross-Site Scripting (XSS) vulnerability in the content group name field [1]. The application fails to properly sanitize user-supplied input when creating or editing content groups, allowing an attacker to inject arbitrary HTML and JavaScript code [4].

Exploitation

An attacker with administrative access can exploit this vulnerability by navigating to Settings > Content Groups, selecting an existing group, and editing the name field to include a malicious payload such as "> [4]. After saving, the payload is stored and executed when any user views the affected content group, including other administrators [4].

Impact

Successful exploitation enables the attacker to execute arbitrary JavaScript in the context of the victim's browser. This can lead to session hijacking, data theft, or further attacks such as credential harvesting and unauthorized actions within the CMS [1][4]. The attack is remote and does not require special privileges beyond a valid admin account.

Mitigation

The vendor has not released a patched version as of the publication date [1]. Users are advised to restrict access to the admin panel, apply input validation, and consider upgrading to a newer version if available [2][3]. The vulnerability is publicly documented with proof-of-concept code [4].