CVE-2025-2304

Severity CVSS v4.0:

CRITICAL

Type:

Unavailable / Other

Publication date:

14/03/2025

Last modified:

14/03/2025

Description

A Privilege Escalation through a Mass Assignment exists in Camaleon CMS<br /> <br /> When a user wishes to change his password, the &#39;updated_ajax&#39; method of the UsersController is called. The vulnerability stems from the use of the dangerous permit! method, which allows all parameters to pass through without any filtering.

Impact

Vector 4.0

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H CVSS v4.0 Severity and Metrics:

Base Score: 9.40 CRITICAL
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

Attack Vector (AV): Network
Attack Complexity (AC): Low
Attack Requirements (AT): None
Privileges Required (PR): Low
User Interaction (UI): None
Confidentiality (VC): High
Integrity (VI): High
Availability (VA): High
Confidentiality (SC): High
Integrity (SI): High
Availability (SA): High

Base Score 4.0

9.40

Severity 4.0

CRITICAL

CVE-2025-2304

Description

Impact

References to Advisories, Solutions, and Tools