GHSA-75j2-9gmc-m855
MEDIUMCamaleon CMS vulnerable to stored XSS through user file upload (GHSL-2024-184)
Blast Radius
camaleon_cmsReal-time download stats are indexed for npm and PyPI packages. This vulnerability affects RubyGems packages — download data is not available via public APIs for these ecosystems.
Description
A stored cross-site scripting has been found in the image upload functionality that can be used by normal registered users: It is possible to upload a SVG image containing JavaScript and it's also possible to upload a HTML document when the format parameter is manually changed to documents or a string of an unsupported format. If an authenticated user or administrator visits that uploaded image or document malicious JavaScript can be executed on their behalf (e.g. changing or deleting content inside of the CMS.)
Impact
This issue may lead to account takeover due to reflected Cross-site scripting (XSS).
Remediation
Only allow the upload of safe files such as PNG, TXT and others or serve all "unsafe" files such as SVG and other files with a content-disposition: attachment header, which should prevent browsers from displaying them.
Additionally, a Content security policy (CSP) can be created that disallows inlined script. (Other parts of the application might need modification to continue functioning.)
To prevent the theft of the auth_token it could be marked with HttpOnly. This would however not prevent that actions could be performed as the authenticated user/administrator. Furthermore, it could make sense to use the authentication provided by Ruby on Rails, so that stolen tokens cannot be used anymore after some time.
Affected Packages
| Ecosystem | Package | Vulnerable range | Fix |
|---|---|---|---|
| 💎RubyGems | camaleon_cms | ≥ 2.8.0&&< 2.8.2 | 2.8.2 |
Detection & mitigation playbook
Open-source dependencyDetect
Scan your dependency tree (package-lock.json, pnpm-lock.yaml, requirements.txt, go.sum, etc.) for camaleon_cms. O3's reachability analysis confirms whether the vulnerable code path is actually invoked in your application, so you act on real exposure instead of every transitive match.
Fix
Update camaleon_cms to 2.8.2 or later, then make sure no transitive (indirect) dependency still pins the vulnerable range — O3 confirms GHSA-75j2-9gmc-m855 is resolved across your whole dependency graph.
Workarounds
If you can't upgrade right away: gate or disable the affected feature, validate untrusted input at the boundary, and avoid passing attacker-controlled data into the vulnerable path. O3's runtime protection blocks exploitation in production as an interim safeguard until the upgrade lands.
How O3 protects you
O3 pinpoints whether GHSA-75j2-9gmc-m855 is reachable in your code and exactly where to fix it, then blocks exploitation in production at runtime until the patched version is deployed.
Tailored to GHSA-75j2-9gmc-m855. Runtime protection reduces exposure until a permanent patch is applied and verified — it complements patching, it doesn't replace it.
Frequently Asked Questions
Is GHSA-75j2-9gmc-m855 in your dependencies?
O3 detects GHSA-75j2-9gmc-m855 across RubyGems dependencies and uses function-level reachability to confirm whether the vulnerable code path is actually reachable — not just present. No false positives.