How severe is CVE-2024-46986?

This vulnerability has a severity rating of CRITICAL with a CVSS score of 9.9 out of 10.

What type of vulnerability is CVE-2024-46986?

This is classified as CWE-74, which is a common weakness in software security.

CVE-2024-46986 - CRITICAL Severity | CVSS 9.9

Vulnerability Description

Camaleon CMS is a dynamic and advanced content management system based on Ruby on Rails. An arbitrary file write vulnerability accessible via the upload method of the MediaController allows authenticated users to write arbitrary files to any location on the web server Camaleon CMS is running on (depending on the permissions of the underlying filesystem). E.g. This can lead to a delayed remote code execution in case an attacker is able to write a Ruby file into the config/initializers/ subfolder of the Ruby on Rails application. This issue has been addressed in release version 2.8.2. Users are advised to upgrade. There are no known workarounds for this vulnerability.

Related Vulnerabilities

CVE-2016-9832

CRITICAL

CVSS:9.9(Critical)

PricewaterhouseCoopers (PwC) ACE-ABAP 8.10.304 for SAP Security allows remote authenticated users to conduct ABAP injection attacks and execute arbitrary code via (1) SAPGUI or (2) Internet Communicat...

CWE-742016

CVE-2020-10208

CRITICAL

CVSS:9.9(Critical)

Command Injection in EntoneWebEngine in Amino Communications AK45x series, AK5xx series, AK65x series, Aria6xx series, Aria7/AK7Xx series and Kami7B allows authenticated remote attackers to execute ar...

CWE-742020

CVE-2022-2992

CRITICAL

CVSS:9.9(Critical)

A vulnerability in GitLab CE/EE affecting all versions from 11.10 prior to 15.1.6, 15.2 to 15.2.4, 15.3 to 15.3.2 allows an authenticated user to achieve remote code execution via the Import from GitH...

CWE-742022

CVE-2023-27479

CRITICAL

CVSS:9.9(Critical)

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. In affected versions any user with view rights can execute arbitrary Groovy, Python or Velocity...

CWE-742023

CVE-2005-3056

CRITICAL

CVSS:9.8(Critical)

TWiki allows arbitrary shell command execution via the Include function

CWE-742005

CVE-2011-2717

CRITICAL

CVSS:9.8(Critical)

The DHCPv6 client (dhcp6c) as used in the dhcpv6 project through 2011-07-25 allows remote DHCP servers to execute arbitrary commands via shell metacharacters in a hostname obtained from a DHCP message...

CWE-742011