{"id":"CVE-2018-18260","details":"In the 2.4 version of Camaleon CMS, Stored XSS has been discovered. The profile image in the User settings section can be run in the update / upload area via /admin/media/upload?actions=false. NOTE: the vendor reports that they are \"unable to reproduce the reported issue on any version.\"","aliases":["GHSA-7f84-9cqf-g4j9"],"modified":"2026-04-10T04:07:12.170418Z","published":"2018-10-15T19:29:02.680Z","references":[{"type":"ADVISORY","url":"http://packetstormsecurity.com/files/149772/CAMALEON-CMS-2.4-Cross-Site-Scripting.html"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/owen2345/camaleon-cms","events":[{"introduced":"0"},{"last_affected":"d04cc8cca6235f4003515afa1a990c5bd04bdea4"}],"database_specific":{"versions":[{"introduced":"0"},{"last_affected":"2.4.0"}]}}],"versions":["0.1.7","0.2.0","2.1.1","2.1.2","2.1.2.0","2.2.0","2.3.1","2.3.2","2.3.3","2.3.4","2.3.5","2.3.6","2.3.7","2.4.0","v2.0.0","v2.1.1.3"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2018-18260.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"}]}