GHSA-r9cr-qmfw-pmrc: 
Ruby vulnerability analysis and mitigation

A stored cross-site scripting (XSS) vulnerability was discovered in Camaleon CMS's image upload functionality, identified as GHSA-r9cr-qmfw-pmrc. The vulnerability affects versions below 2.8.1 and was patched in version 2.8.1. The issue allows normal registered users to upload SVG images containing malicious JavaScript or HTML documents by manipulating the format parameter (GitHub Advisory).

The vulnerability exists in the image upload functionality where users can upload SVG files containing JavaScript code or HTML documents by modifying the format parameter. When an authenticated user or administrator visits the uploaded file, the malicious JavaScript executes in their context. The vulnerability is rated as Moderate with a CVSS score of 4.8, requiring low attack complexity and user interaction. The attack vector is network-based and requires low privileges (GitHub Advisory).

The vulnerability can lead to account takeover through cross-site scripting (XSS). When exploited, attackers can execute arbitrary JavaScript in the context of authenticated users or administrators, potentially allowing them to change or delete content within the CMS. The auth_token cookie, which only changes when a user changes their password, can be stolen through this attack (GitHub Advisory).

The recommended mitigation strategies include: only allowing upload of safe files (PNG, TXT), serving unsafe files with a content-disposition: attachment header, implementing a Content Security Policy (CSP) that disallows inline scripts, marking the auth_token with HttpOnly flag, and considering the use of Ruby on Rails authentication for token expiration. These changes were implemented in version 2.8.1 (GitHub Commit).