Lucene search

GitHub_MCVELIST:CVE-2022-39297

HistoryOct 12, 2022 - 12:00 a.m.

CVE-2022-39297 Deserialization of untrusted data in MelisCms

2022-10-1200:00:00

CWE-502

GitHub_M

www.cve.org

meliscms

cms

php code

deserialization

vulnerability

authentication

upgrade

restricting classes

7.7 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

LOW

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:L

9.7 High

AI Score

Confidence

High

0.004 Low

EPSS

Percentile

73.9%

JSON

MelisCms provides a full CMS for Melis Platform, including templating system, drag’n’drop of plugins, SEO and many administration tools. Attackers can deserialize arbitrary data on affected versions of melisplatform/melis-cms, and ultimately leads to the execution of arbitrary PHP code on the system. Conducting this attack does not require authentication. Users should immediately upgrade to melisplatform/melis-cms >= 5.0.1. This issue was addressed by restricting allowed classes when deserializing user-controlled data.

CNA Affected

[
  {
    "vendor": "melisplatform",
    "product": "melis-cms",
    "versions": [
      {
        "version": "<= 5.0.0",
        "status": "affected"
      }
    ]
  }
]

References

github.com/melisplatform/melis-cms/commit/d124b2474699a679a24ec52620cadceb3d4cec11

github.com/melisplatform/melis-cms/security/advisories/GHSA-m3m3-6gww-7gj9

7.7 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

LOW

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:L

9.7 High

AI Score

Confidence

High

0.004 Low

EPSS

Percentile

73.9%

JSON

Related for CVELIST:CVE-2022-39297