Description
In Camaleon CMS application, versions 0.0.1 to 2.6.0 are vulnerable to stored XSS, that allows an unauthenticated attacker to store malicious scripts in the comments section of the post. These scripts are executed in a victim’s browser when they open the page containing the malicious comment.
References (2)
Core 2
Core References
Patch, Third Party Advisory x_refsource_misc
https://github.com/owen2345/camaleon-cms/commit/05506e9087bb05282c0bae6ccfe0283d0332ab3c
Third Party Advisory x_refsource_misc
https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-25969
Scores
CVSS v3
6.1
EPSS
0.0147
EPSS Percentile
81.0%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
no
Technical Impact
partial
Details
CWE
CWE-79
Status
published
Products (2)
rubygems/camaleon_cms
0.0.1 - 2.6.0.1RubyGems
tuzitio/camaleon_cms
0.0.1 - 2.6.0
Published
Oct 20, 2021
Tracked Since
Feb 18, 2026