GitHub Advisory DatabaseGHSA-M3M3-6GWW-7GJ9melisplatform/melis-cms vulnerable to deserialization of untrusted data
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
0.004 Low
EPSS
Percentile
73.9%
Impact
Attackers can deserialize arbitrary data on affected versions of melisplatform/melis-cms, and ultimately leads to the execution of arbitrary PHP code on the system. Conducting this attack does not require authentication.
Users should immediately upgrade to melisplatform/melis-cms >= 5.0.1.
Patches
This issue was addressed by restricting allowed classes when deserializing user-controlled data.
References
For more information
If you have any questions or comments about this advisory, you can contact:
- The original reporters, by sending an email to vulnerability.research [at] sonarsource.com;
- The maintainers, by opening an issue on this repository.
Affected configurations
| CPE | Name | Operator | Version |
|---|---|---|---|
| melisplatform/melis-cms | lt | 5.0.1 |
Related
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
0.004 Low
EPSS
Percentile
73.9%