CVE-2025-2304 Information

Description

A Privilege Escalation through a Mass Assignment exists in Camaleon CMS

When a user wishes to change his password the ‘updated_ajax’ method of the UsersController is called. The vulnerability stems from the use of the dangerous permit! method which allows all parameters to pass through without any filtering.

Reference

https://github.com/owen2345/camaleon-cms https://www.tenable.com/security/research/tra-2025-09