CVE-2023-30145: 
Ruby vulnerability analysis and mitigation

Camaleon CMS v2.7.0 was discovered to contain a Server-Side Template Injection (SSTI) vulnerability via the formats parameter. The vulnerability was identified and assigned CVE-2023-30145, affecting all versions below 2.7.4 (NVD, FortiGuard).

The vulnerability exists in the formats parameter during file upload functionality. The CVSS v3.1 base score is 9.8 CRITICAL (Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). The vulnerability is classified as CWE-94 (Improper Control of Generation of Code). The issue allows attackers to inject template directives that can be executed server-side (GitHub POC).

The vulnerability allows attackers to execute arbitrary code on the server through template injection. This can lead to complete compromise of the application's data and functionality, and potentially the entire server hosting the application. The attacker could potentially use the compromised server as a platform for further attacks against other systems (PortSwigger).

The vulnerability has been fixed in version 2.7.4. Users should upgrade to this version or later to mitigate the risk (FortiGuard).