## https://sploitus.com/exploit?id=30299F59-AE61-5991-89ED-6AFF5C611A06
# PoC: CVE-2025-2304 - Camaleon CMS Privilege Escalation
## Technical Overview
This repository contains a Functional Proof of Concept (PoC) for a **Mass Assignment** vulnerability in **Camaleon CMS** (versions prior to 2.8.1). The vulnerability resides in the `updated_ajax` endpoint of the User Management module, where the application fails to strictly filter sensitive attributes within the `password` parameter hash.
By injecting a `role` attribute into the `password` scope during a profile update, a low-privileged user can overwrite their own permissions to gain `admin` status.
### Vulnerability Mechanism
The vulnerability is rooted in a misconfiguration of **Strong Parameters** in the Ruby on Rails controller. When the application processes the AJAX update request, it improperly allows the `role` key to be merged into the user object's attributes:
* **Vulnerable Endpoint:** `/admin/users/:id/updated_ajax`
* **Vulnerable Parameter Scope:** `password[...]`
* **Injection Vector:** `password[role]=admin`
---
## Technical Features
* **Session Persistence:** Utilizes `requests.Session` to maintain state across the authentication and exploitation phases.
* **Automated CSRF Synchronization:** Scrapes the `authenticity_token` from the DOM and synchronizes it with the `X-CSRF-Token` header, satisfying Rails' AJAX security requirements.
* **Dynamic ID Discovery:** Parses the `/admin/profile/edit` page to dynamically resolve the `user[id]` required for the RESTful endpoint.
* **HTTP Method Emulation:** Implements the `_method=patch` override to satisfy the application's routing requirements for resource updates via `POST`.
---
## Requirements
* Python 3.10+
* `requests`
* `beautifulsoup4`
Install dependencies:
```bash
pip install -r requirements.txt
```
---
## Usage
```bash
python3 main.py -u --user --password
```
### Exploit Execution Flow
1. **Auth (POST `/admin/login`):** Establishes an authenticated session using `user[username]`.
2. **Recon (GET `/admin/profile/edit`):** Extracts the unique `user[id]` and a fresh `authenticity_token`.
3. **Escalation (PATCH-over-POST `/admin/users/:id/updated_ajax`):** Dispatches the injection payload.
---
## Payload Specification
The exploit utilizes an `application/x-www-form-urlencoded` payload structured as follows:
| Parameter | Value | Description |
| --- | --- | --- |
| `_method` | `patch` | Rails REST method override |
| `authenticity_token` | `[Captured]` | Synchronized CSRF protection |
| `password[password]` | `[NewPassword]` | Required for password-scope validation |
| `password[role]` | `admin` | **Malicious Injection** |
---
## Ethical Disclosure
This tool is for educational purposes and authorized penetration testing only. Unauthorized access to production systems is illegal.