Primary

Context

Cameleon CMS Persistent Cross-Site Scripting Vulnerability

Vulnerability

A persistent cross-site scripting vulnerability has been identified in Cameleon CMS version 2.7.4. This vulnerability allows authenticated administrators to inject malicious scripts into post titles. The injected scripts can execute when other users hover over the post title, potentially leading to the theft of session cookies and the execution of arbitrary JavaScript.

Impact

Exploitation of this vulnerability allows for persistent cross-site scripting, where injected scripts are executed in the context of the user viewing the post.

Reproduction

To reproduce this vulnerability, log in as an administrator and create a new post. Inject a script into the title using an SVG payload, such as one that triggers an alert with the document's cookies. Once the post is published, the script will execute when another user hovers over the title.

Added: Dec 18, 2025, 8:30 PM

Updated: Dec 18, 2025, 8:30 PM

Vulnerability Rating

Custom Algorithm

spread

3.4

impact

1.7

exploitability

6.5

remediation

0.0

relevance

1.6

threat

6.4

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

3.4

impact

1.7

exploitability

6.5

remediation

0.0

relevance

1.6

threat

6.4

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Cameleon CMS Persistent Cross-Site Scripting Vulnerability

Vulnerability

Impact

Reproduction

Affected Products

Cameleon CMS

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating