CVE-2025-2304

Vulnerability Description

A Privilege Escalation through a Mass Assignment exists in Camaleon CMS When a user wishes to change his password, the 'updated_ajax' method of the UsersController is called. The vulnerability stems from the use of the dangerous permit! method, which allows all parameters to pass through without any filtering.

Related Weaknesses (CWE)

CWE-915

References

https://github.com/owen2345/camaleon-cms
https://www.tenable.com/security/research/tra-2025-09

FAQ

What is CVE-2025-2304?

CVE-2025-2304 is a documented vulnerability. A Privilege Escalation through a Mass Assignment exists in Camaleon CMS When a user wishes to change his password, the 'updated_ajax' method of the UsersController is called. The vulnerability stems ...

How severe is CVE-2025-2304?

CVSS scoring is not yet available for CVE-2025-2304. Check NVD for updates.

Is there a patch for CVE-2025-2304?

Check the references section above for vendor advisories and patch information. Review vendor security bulletins for remediation guidance.