Camaleon CMS v2.7.0 was discovered to contain a Server-Side Template Injection (SSTI) vulnerability via the formats parameter.
All versions that are below 2.7.0 Fixed Versions: 2.7.41.open below URL:https://target.com/admin/media/upload
2.upload any file and intercept request in formats parameter value add this payload and testi<%= 77 %>vuuvm in response it will return multiplication of 77 with below message "File format not allowed (dqopi49vuuvm)"
3.After that for execute command add this payload testqopi<%= File.open('/etc/passwd').read %>fdtest
The attack vector for this vulnerability involves an attacker exploiting the unsanitized user input in the 'formats' parameter to inject malicious template directives, which can lead to Server-Side Template Injection (SSTI) attacks. The attacker can upload a file and intercept the request to modify the 'formats' parameter value with a payload that includes a template directive that executes arbitrary code. In this case, the attacker is using the 'dqopi<%= File.open('/etc/passwd').read %>fdfdsf' payload to read the contents of the '/etc/passwd' file on the server. This can allow the attacker to gain unauthorized access to sensitive information, and potentially take control of the server.
SSTI vulnerabilities are serious and can lead to a complete compromise of the application's data and functionality, and often of the server that is hosting the application. Attackers may also use the server as a platform for further attacks against other systems.Camaleon CMS
Camaleon-cms https://github.com/owen2345/camaleon-cmsParag Bagul