What is CVE-2023-30145?

A critical Server-Side Template Injection (SSTI) vulnerability has been identified in Tuzitio's Camaleon CMS v2.7.0. Immediate action is required to mitigate potential impacts on confidentiality, integrity, and availability.

What is the severity of CVE-2023-30145?

CVE-2023-30145 has a severity rating of CRITICAL with a CVSS base score of 9.8.

CVE-2023-30145 | Critical Vulnerability in Tuzitio Camaleon CMS

On May 26, 2023, a critical Server-Side Template Injection (SSTI) vulnerability was discovered in Tuzitio's Camaleon CMS version 2.7.0. This vulnerability is classified with a CVSS score of 9.8, indicating a severe risk to organizations utilizing this software. The vulnerability was identified via the formats parameter, which can be manipulated to execute arbitrary code on the server.

Risk to organizations includes potential unauthorized access to sensitive information, disruption of service, and integrity compromises. As the attack vector is network-based and requires no user interaction, the urgency for remediation is high. Organizations should prioritize patching immediately.

Current exploitation status indicates that there is at least one confirmed exploit available, making it critical for affected users to assess their environments and apply necessary updates to mitigate risks.

Organizations leveraging Camaleon CMS should not only implement the latest patches but also review their security posture and enhance monitoring strategies to detect any potential misuse of this vulnerability.

Vulnerability Details

The vulnerability identified as CVE-2023-30145 allows for Server-Side Template Injection (SSTI) due to improper validation of user input in the formats parameter. The CVSS score of 9.8 categorizes this vulnerability as critical, affecting confidentiality, integrity, and availability. The affected product is Camaleon CMS v2.7.0, published on May 26, 2023, with a weakness categorized under CWE-94.

Technical Analysis

The root cause of this vulnerability lies in the lack of proper input validation, allowing attackers to inject malicious templates that can lead to remote code execution. The attack vector is network-based, requiring no special privileges or user interaction, with low complexity for exploitation.

Given the high confidentiality, integrity, and availability impacts associated with this vulnerability, organizations must take this threat seriously. The absence of required privileges and the low complexity of attacks make this vulnerability particularly dangerous.

Risk & Impact Analysis

The potential blast radius of this vulnerability is extensive, given the widespread use of Camaleon CMS. Attackers may leverage this vulnerability to access sensitive data, alter system functionality, or disrupt services. Organizations should assess their exposure and deploy necessary patches and mitigations.

Based on the CVSS score and the confirmed exploit, organizations must prioritize this vulnerability in their patch management processes to prevent potential breaches or service disruptions.

Exploitation Status

Signal	Status
Known Exploit	Yes
Public PoC	Yes
Actively Exploited	No
Ransomware Use	No

Affected Versions

Camaleon CMS versions prior to 2.7.0 are affected by this vulnerability. Organizations must ensure that they are running the latest patched version to mitigate this risk.

Mitigation & Remediation

To remediate this vulnerability, organizations should immediately update to the latest version of Camaleon CMS. For further security enhancements, consider implementing configuration hardening and access controls to limit exposure to potential attacks. Continuous monitoring should be established to detect any unusual activities.

Organizations may validate remediation through penetration testing to identify similar weaknesses.

Detection Guidance

Organizations should monitor logs for any unexpected template rendering errors and audit user input fields for potential injection attempts. Behavioral anomalies in application performance may also indicate exploitation attempts.

AppSecure Threat Intelligence Insight

The emergence of SSTI vulnerabilities, such as CVE-2023-30145, underscores the need for robust application security practices. Security teams should focus on enhancing input validation and sanitization processes to prevent similar vulnerabilities.

For further insights on managing application vulnerabilities, organizations may benefit from reviewing our vulnerability management program and the importance of continuous security assessments through penetration testing. Additionally, organizations should stay informed on trends related to API security testing to better protect their applications.

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

CVE ID	Title	Severity	Vulnerability Type	Published
CVE-2025-65418	CVE-2025-65418: High Vulnerability in docuFORM Managed Print Service Client	HIGH	Path Traversal	May 11, 2026
CVE-2025-65417	CVE-2025-65417: Medium Vulnerability in docuFORM Managed Print Service Client	MEDIUM	XSS	May 11, 2026
CVE-2025-65416	CVE-2025-65416: Medium Vulnerability in docuFORM Managed Print Service Client	MEDIUM	Unrestricted File Upload	May 11, 2026
CVE-2025-65415	CVE-2025-65415: Medium Vulnerability in docuFORM Managed Print Service Client	MEDIUM	Session Fixation	May 11, 2026
CVE-2025-61314	CVE-2025-61314: High Vulnerability in GmbH Mecury Managed Print Services	HIGH	XSS	May 11, 2026

CVE-2023-30145: Critical Vulnerability in Tuzitio Camaleon CMS