What is CVE-2025-2304?

CVE-2025-2304 is a vulnerability in Owen2345 Camaleon-cms, classified under Improperly Controlled Modification of Dynamically-Determined Object Attributes. Published 2025-03-14.

Is CVE-2025-2304 known to be exploited?

20 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.

Vulnerability in Owen2345 Camaleon-cms

CVE-2025-2304

A Privilege Escalation through a Mass Assignment exists in Camaleon CMS When a user wishes to change his password, the 'updated_ajax' method of the UsersController is called. The vulnerability stems from the use of the dangerous permit! m…

Vulnerability class: Mass Assignment

EPSS: 0.002 (42.9th percentile) — read the EPSS interpretation.

Affected products

Owen2345 Camaleon-cms — versions 0

Weakness classification (CWE)

CWE-915 — Improperly Controlled Modification of Dynamically-Determined Object Attributes

Public proof-of-concept exploits

predyy/CVE-2025-2304
Alien0ne/CVE-2025-2304
whiteov3rflow/CVE-2025-2304-POC
d3vn0mi/CVE-2025-2304-POC
CsuriBird/CVE-2025-2304
estebanzarate/CVE-2025-2304-Camaleon-CMS-Mass-Assignment-Privilege-Escalation-PoC
7acini/CVE-2025-2304-CamaleonCMS-PoC
AzureADTrent/CVE-2025-2304_POC
MAEN1-prog/CVE-2025-2304
Jeanback1/CVE-2025-2304-exploit

References

www.tenable.com/security/research/tra-2025-09
github.com/owen2345/camaleon-cms

Frequently asked questions

What is CVE-2025-2304?: CVE-2025-2304 is a vulnerability in Owen2345 Camaleon-cms, classified under Improperly Controlled Modification of Dynamically-Determined Object Attributes. Published 2025-03-14.
Is CVE-2025-2304 known to be exploited?: 20 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.