CVE-2025-2304: 
Ruby vulnerability analysis and mitigation

A Privilege Escalation vulnerability (CVE-2025-2304) was discovered in Camaleon CMS, affecting versions prior to 2.9.1. The vulnerability was disclosed on March 14, 2025, and stems from insufficient input sanitization in the 'updated_ajax' method of the UsersController when users attempt to change their passwords (Tenable Research, NVD).

The vulnerability exists due to the use of the dangerous permit! method in the UsersController's updated_ajax function, which allows all parameters to pass through without any filtering. The CVSS v4.0 base score is 9.4 (CRITICAL) with the vector string CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H. The vulnerability is classified as CWE-915 (Improperly Controlled Modification of Dynamically-Determined Object Attributes) (Tenable Research, NVD).

The vulnerability allows remote attackers with limited privileges to escalate their privileges to administrator level by exploiting the mass assignment vulnerability. An attacker can submit a request with an extra parameter that includes the role attribute, effectively elevating their privileges on vulnerable systems (Tenable Research, FortiGuard Labs).

Users are advised to upgrade to Camaleon CMS version 2.9.1 or later to address this vulnerability. The fix was released on March 15, 2025, after coordinated disclosure between the researcher and the vendor (Tenable Research, GitHub Repository).