GHSA-8fx8-3rg2-79xw: 
Ruby vulnerability analysis and mitigation

A stored cross-site scripting (XSS) vulnerability was discovered in Camaleon CMS's image upload functionality, identified as GHSA-8fx8-3rg2-79xw. The vulnerability affects versions prior to 2.8.1 and was published on September 23, 2024. The vulnerability allows registered users to upload SVG images containing malicious JavaScript code or HTML documents by manipulating the format parameter (GitHub Advisory).

The vulnerability exists in the image upload functionality where users can upload SVG files containing JavaScript or HTML documents by modifying the format parameter to 'documents' or an unsupported format. The vulnerability has been assigned a CVSS v4.0 score of 4.8 (Moderate severity) with the following vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N. The vulnerability is classified as CWE-79 (Cross-site Scripting) (GitHub Advisory).

The vulnerability can lead to account takeover through reflected Cross-site Scripting (XSS). When an authenticated user or administrator visits the uploaded malicious file, unauthorized JavaScript code can be executed on their behalf, potentially allowing attackers to modify or delete content within the CMS (GitHub Advisory, Ruby Advisory).

The vulnerability has been patched in version 2.8.1. Recommended mitigations include: only allowing upload of safe files (PNG, TXT), serving unsafe files with a content-disposition: attachment header, implementing a Content Security Policy (CSP) that disallows inline scripts, marking auth_token with HttpOnly flag, and considering the use of Ruby on Rails authentication for time-limited tokens (GitHub Advisory).