Search criteria
2 vulnerabilities found for Cameleon CMS by tuzitio
CVE-2023-53936 (GCVE-0-2023-53936)
Vulnerability from nvd – Published: 2025-12-18 19:53 – Updated: 2025-12-18 21:47
VLAI?
Title
Cameleon CMS 2.7.4 Authenticated Persistent Cross-Site Scripting via Post Creation
Summary
Cameleon CMS 2.7.4 contains a persistent cross-site scripting vulnerability that allows authenticated administrators to inject malicious scripts into post titles. Attackers can create posts with embedded SVG scripts that execute when other users mouse over the post title, potentially stealing session cookies and executing arbitrary JavaScript.
Severity ?
5.4 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| tuzitio | Cameleon CMS |
Affected:
2.7.4
|
Credits
Yasin Gergin
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-53936",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-12-18T21:03:49.299253Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-12-18T21:47:11.331Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Cameleon CMS",
"vendor": "tuzitio",
"versions": [
{
"status": "affected",
"version": "2.7.4"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Yasin Gergin"
}
],
"descriptions": [
{
"lang": "en",
"value": "Cameleon CMS 2.7.4 contains a persistent cross-site scripting vulnerability that allows authenticated administrators to inject malicious scripts into post titles. Attackers can create posts with embedded SVG scripts that execute when other users mouse over the post title, potentially stealing session cookies and executing arbitrary JavaScript."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 5.1,
"baseSeverity": "MEDIUM",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "LOW",
"userInteraction": "PASSIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "LOW",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS"
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-12-18T19:53:33.354Z",
"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"shortName": "VulnCheck"
},
"references": [
{
"name": "ExploitDB-51446",
"tags": [
"exploit"
],
"url": "https://www.exploit-db.com/exploits/51446"
},
{
"name": "Product GitHub Repository",
"tags": [
"product"
],
"url": "https://github.com/owen2345/camaleon-cms"
},
{
"name": "VulnCheck Advisory: Cameleon CMS 2.7.4 Authenticated Persistent Cross-Site Scripting via Post Creation",
"tags": [
"third-party-advisory"
],
"url": "https://www.vulncheck.com/advisories/cameleon-cms-authenticated-persistent-cross-site-scripting-via-post-creation"
}
],
"title": "Cameleon CMS 2.7.4 Authenticated Persistent Cross-Site Scripting via Post Creation",
"x_generator": {
"engine": "vulncheck"
}
}
},
"cveMetadata": {
"assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"assignerShortName": "VulnCheck",
"cveId": "CVE-2023-53936",
"datePublished": "2025-12-18T19:53:33.354Z",
"dateReserved": "2025-12-16T19:22:09.997Z",
"dateUpdated": "2025-12-18T21:47:11.331Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-53936 (GCVE-0-2023-53936)
Vulnerability from cvelistv5 – Published: 2025-12-18 19:53 – Updated: 2025-12-18 21:47
VLAI?
Title
Cameleon CMS 2.7.4 Authenticated Persistent Cross-Site Scripting via Post Creation
Summary
Cameleon CMS 2.7.4 contains a persistent cross-site scripting vulnerability that allows authenticated administrators to inject malicious scripts into post titles. Attackers can create posts with embedded SVG scripts that execute when other users mouse over the post title, potentially stealing session cookies and executing arbitrary JavaScript.
Severity ?
5.4 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| tuzitio | Cameleon CMS |
Affected:
2.7.4
|
Credits
Yasin Gergin
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-53936",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-12-18T21:03:49.299253Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-12-18T21:47:11.331Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Cameleon CMS",
"vendor": "tuzitio",
"versions": [
{
"status": "affected",
"version": "2.7.4"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Yasin Gergin"
}
],
"descriptions": [
{
"lang": "en",
"value": "Cameleon CMS 2.7.4 contains a persistent cross-site scripting vulnerability that allows authenticated administrators to inject malicious scripts into post titles. Attackers can create posts with embedded SVG scripts that execute when other users mouse over the post title, potentially stealing session cookies and executing arbitrary JavaScript."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 5.1,
"baseSeverity": "MEDIUM",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "LOW",
"userInteraction": "PASSIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "LOW",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS"
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-12-18T19:53:33.354Z",
"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"shortName": "VulnCheck"
},
"references": [
{
"name": "ExploitDB-51446",
"tags": [
"exploit"
],
"url": "https://www.exploit-db.com/exploits/51446"
},
{
"name": "Product GitHub Repository",
"tags": [
"product"
],
"url": "https://github.com/owen2345/camaleon-cms"
},
{
"name": "VulnCheck Advisory: Cameleon CMS 2.7.4 Authenticated Persistent Cross-Site Scripting via Post Creation",
"tags": [
"third-party-advisory"
],
"url": "https://www.vulncheck.com/advisories/cameleon-cms-authenticated-persistent-cross-site-scripting-via-post-creation"
}
],
"title": "Cameleon CMS 2.7.4 Authenticated Persistent Cross-Site Scripting via Post Creation",
"x_generator": {
"engine": "vulncheck"
}
}
},
"cveMetadata": {
"assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"assignerShortName": "VulnCheck",
"cveId": "CVE-2023-53936",
"datePublished": "2025-12-18T19:53:33.354Z",
"dateReserved": "2025-12-16T19:22:09.997Z",
"dateUpdated": "2025-12-18T21:47:11.331Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}