CVE-2023-30145

CRITICAL

Camaleon CMS < 2.7.0 - Server-Side Template Injection via Formats Parameter

Title source: llm

Exploitation Summary

EIP tracks 2 public exploits for CVE-2023-30145. PoCs published by PARAG BAGUL, paragbagul111.

AI-analyzed exploit summary This exploit demonstrates a Server-Side Template Injection (SSTI) vulnerability in Camaleon CMS v2.7.0 via the `formats` parameter. The PoC includes payloads for arbitrary code execution, such as reading `/etc/passwd`.

Description

Camaleon CMS v2.7.0 was discovered to contain a Server-Side Template Injection (SSTI) vulnerability via the formats parameter.

Exploits (2)

exploitdb WORKING POC VERIFIED

by PARAG BAGUL · textwebappsruby

https://www.exploit-db.com/exploits/51489

View Code ZIP pw:eip

This exploit demonstrates a Server-Side Template Injection (SSTI) vulnerability in Camaleon CMS v2.7.0 via the `formats` parameter. The PoC includes payloads for arbitrary code execution, such as reading `/etc/passwd`.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Trivial

Reliability

Reliable

Target: Camaleon CMS v2.7.0

Auth required

Prerequisites: Access to the admin panel · Valid session cookie

MITRE ATT&CK

T1221 - Template Injection T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec WRITEUP 7 stars

by paragbagul111 · poc

https://github.com/paragbagul111/CVE-2023-30145

View Code ZIP pw:eip

This repository contains a writeup describing a Server-Side Template Injection (SSTI) vulnerability in Camaleon CMS v2.7.0 via the 'formats' parameter. It includes steps to detect and exploit the vulnerability, such as injecting payloads to read files like '/etc/passwd'.

Classification

Writeup 90%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Camaleon CMS v2.7.0

Auth required

Prerequisites: Access to the admin panel · Ability to intercept and modify HTTP requests

MITRE ATT&CK

T1221 - Template Injection

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (5)

Core 5

Core References

Exploit, Third Party Advisory, VDB Entry

http://packetstormsecurity.com/files/172593/Camaleon-CMS-2.7.0-Server-Side-Template-Injection.html

Exploit, Technical Description, Third Party Advisory

https://book.hacktricks.xyz/pentesting-web/ssti-server-side-template-injection

Exploit, Third Party Advisory

https://drive.google.com/file/d/11MsSYqUnDRFjcwbQKJeL9Q8nWpgVYf2r/view?usp=share_link

Exploit, Third Party Advisory

https://github.com/paragbagul111/CVE-2023-30145

Technical Description

https://portswigger.net/research/server-side-template-injection

Scores

CVSS v3 9.8

EPSS 0.5347

EPSS Percentile 98.0%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation poc

Automatable yes

Technical Impact total

Details

CWE

CWE-94

Status published

Products (2)

rubygems/camaleon_cms 0 - 2.7.4RubyGems

tuzitio/camaleon_cms < 2.7.0

Published May 26, 2023

Tracked Since Feb 18, 2026