CVE-2022-39298
7.7
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:L
Summary
MelisFront is the engine that displays website hosted on Melis Platform. It deals with showing pages, plugins, URL rewritting, search optimization and SEO, etc. Attackers can deserialize arbitrary data on affected versions of melisplatform/melis-front, and ultimately leads to the execution of arbitrary PHP code on the system. Conducting this attack does not require authentication. Users should immediately upgrade to melisplatform/melis-front >= 5.0.1. This issue was addressed by restricting allowed classes when deserializing user-controlled data.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| melisplatform | melis-front | <= 5.0.0 | affected |
Weaknesses
- CWE-502: CWE-502: Deserialization of Untrusted Data
ADP Enrichment
CVE Program Container
Additional References
- https://github.com/melisplatform/melis-front/security/advisories/GHSA-h479-2mv4-5c26
- https://github.com/melisplatform/melis-front/commit/89ae612d5f1f7aa2fb621ee8de27dffe1feb851e
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: no
- Technical Impact: total
References
- https://github.com/melisplatform/melis-front/security/advisories/GHSA-h479-2mv4-5c26
- https://github.com/melisplatform/melis-front/commit/89ae612d5f1f7aa2fb621ee8de27dffe1feb851e
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.