CVE-2022-39297

2022-10-1223:15:09

CWE-502

[email protected]

web.nvd.nist.gov

cve-2022-39297

meliscms

php code execution

arbitrary data deserialization

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

9.4 High

AI Score

Confidence

High

0.004 Low

EPSS

Percentile

73.9%

JSON

MelisCms provides a full CMS for Melis Platform, including templating system, drag’n’drop of plugins, SEO and many administration tools. Attackers can deserialize arbitrary data on affected versions of melisplatform/melis-cms, and ultimately leads to the execution of arbitrary PHP code on the system. Conducting this attack does not require authentication. Users should immediately upgrade to melisplatform/melis-cms >= 5.0.1. This issue was addressed by restricting allowed classes when deserializing user-controlled data.

Affected configurations

Vulners

NVD

Node

melisplatformmelis_cmsRange≤5.0.0

CPENameOperatorVersion
melistechnology:meliscmsmelistechnology meliscmslt5.0.1

CPE	Name	Operator	Version
melistechnology:meliscms	melistechnology meliscms	lt	5.0.1

CNA Affected

[
  {
    "vendor": "melisplatform",
    "product": "melis-cms",
    "versions": [
      {
        "version": "<= 5.0.0",
        "status": "affected"
      }
    ]
  }
]