Home

Description

Cameleon CMS 2.7.4 contains a persistent cross-site scripting vulnerability that allows authenticated administrators to inject malicious scripts into post titles. Attackers can create posts with embedded SVG scripts that execute when other users mouse over the post title, potentially stealing session cookies and executing arbitrary JavaScript.

PUBLISHED Reserved 2025-12-16 | Published 2025-12-18 | Updated 2025-12-18 | Assigner VulnCheck




MEDIUM: 5.1CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N
MEDIUM: 5.4CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Problem types

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Product status

2.7.4
affected

Credits

Yasin Gergin finder

References

www.exploit-db.com/exploits/51446 (ExploitDB-51446) exploit

github.com/owen2345/camaleon-cms (Product GitHub Repository) product

www.vulncheck.com/...-cross-site-scripting-via-post-creation (VulnCheck Advisory: Cameleon CMS 2.7.4 Authenticated Persistent Cross-Site Scripting via Post Creation) third-party-advisory

cve.org (CVE-2023-53936)

nvd.nist.gov (CVE-2023-53936)

Download JSON

Data based on CVE®. Copyright © 1999-2025, The MITRE Corporation. All rights reserved.