Miggo Logo
Miggo Vulnerability Database
CVE-2024-48652

CVE-2024-48652: camaleon_cms affected by cross site scripting

4.8

CVSS Score
3.1

Basic Information

CVE ID
CVE-2024-48652
GHSA ID
GHSA-hhxg-rvc9-8726
EPSS Score
0.88729%
CWE
CWE-79
Published
10/23/2024
Updated
10/24/2024
KEV Status
No
Technology
TechnologyRuby

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
camaleon_cmsrubygems<= 2.7.5

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability manifests in the content group name field handling. In Rails applications, XSS typically occurs either during input sanitization (controller/model level) or output escaping (view level). The reproduction steps indicate stored XSS, requiring both: 1) insufficient input validation when saving the name field (controller/model), and 2) unsafe rendering in views. While exact code isn't available, the admin content group editing flow would logically involve these components. The high confidence in view rendering stems from Rails' default unsafe output behavior when using <%= %> without escaping.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*ross Sit* S*riptin* vuln*r**ility in **m*l*on-*ms v.*.*.* *llows r*mot* *tt**k*r to *x**ut* *r*itr*ry *o** vi* t** *ont*nt *roup n*m* *i*l*.

Reasoning

T** vuln*r**ility m*ni**sts in t** *ont*nt *roup n*m* *i*l* **n*lin*. In R*ils *ppli**tions, XSS typi**lly o**urs *it**r *urin* input s*nitiz*tion (*ontroll*r/mo**l l*v*l) or output *s**pin* (vi*w l*v*l). T** r*pro*u*tion st*ps in*i**t* stor** XSS, r