CVE-2023-30145

CRITICAL

Tuzitio Camaleon Cms < 2.7.0 - Code Injection

Title source: rule

Description

Camaleon CMS v2.7.0 was discovered to contain a Server-Side Template Injection (SSTI) vulnerability via the formats parameter.

Exploits (2)

exploitdb WORKING POC VERIFIED

by PARAG BAGUL · textwebappsruby

https://www.exploit-db.com/exploits/51489

View Code ZIP pw:eip

nomisec WRITEUP 7 stars

by paragbagul111 · poc

https://github.com/paragbagul111/CVE-2023-30145

View Code ZIP pw:eip

References (5)

[Exploit, Third Party Advisory, VDB Entry] http://packetstormsecurity.com/files/172593/Camaleon-CMS-2.7.0-Server-Side-Template-Injection.html

[Exploit, Technical Description, Third Party Advisory] https://book.hacktricks.xyz/pentesting-web/ssti-server-side-template-injection

[Exploit, Third Party Advisory] https://drive.google.com/file/d/11MsSYqUnDRFjcwbQKJeL9Q8nWpgVYf2r/view?usp=share_link

[Exploit, Third Party Advisory] https://github.com/paragbagul111/CVE-2023-30145

[Technical Description] https://portswigger.net/research/server-side-template-injection

Scores

CVSS v3 9.8

EPSS 0.5327

EPSS Percentile 98.0%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-94

Status published

Products (2)

rubygems/camaleon_cms 0 - 2.7.4RubyGems

tuzitio/camaleon_cms < 2.7.0

Published May 26, 2023

Tracked Since Feb 18, 2026