Share
## https://sploitus.com/exploit?id=5BEA2FBA-F991-5925-A9FC-6F664099897B
# CVE-2024-46987 - Camaleon CMS Authenticated Arbitrary File Read

This repository contains a Proof of Concept (PoC) script for **CVE-2024-46987**, which allows for arbitrary file reading (LFI / Path Traversal) on **Camaleon CMS**.

## Description

A Path Traversal vulnerability has been identified in Camaleon CMS versions 2.8.0 to  -l  -p  
```

### Arguments

- `-u`, `--url`: Base URL of the target site (e.g., `http://example.com`).
- `-l`, `--user`: Username for authentication.
- `-p`, `--password`: Password for authentication.
- `--path`: (Optional) Path to the vulnerable endpoint. Default: `admin/media/download_private_file`.
- `-v`, `--verbose`: Enable verbose mode to see connection steps.
- `file`: The path of the file to read on the server (e.g., `/etc/passwd`).

### Examples

Read the `/etc/passwd` file:

```bash
python3 CVE-2024-46987.py -u http://target-cms.local -l admin -p password123 /etc/passwd
```

Use verbose mode:

```bash
python3 CVE-2024-46987.py -u http://target-cms.local -l user -p pass -v /etc/hosts
```

## Disclaimer

This code is provided for **educational and security research purposes only**. Using this script against targets without prior authorization is illegal. The author disclaims any responsibility for misuse.

Always ensure you have explicit permission before conducting penetration tests.
# CVE-2024-46987