Lucene search

K
nvd[email protected]NVD:CVE-2022-39298
HistoryOct 12, 2022 - 11:15 p.m.

CVE-2022-39298

2022-10-1223:15:09
CWE-502
web.nvd.nist.gov
3
melisfront
php code execution
deserialization vulnerability
melis platform
arbitrary data

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS

0.004

Percentile

73.8%

MelisFront is the engine that displays website hosted on Melis Platform. It deals with showing pages, plugins, URL rewritting, search optimization and SEO, etc. Attackers can deserialize arbitrary data on affected versions of melisplatform/melis-front, and ultimately leads to the execution of arbitrary PHP code on the system. Conducting this attack does not require authentication. Users should immediately upgrade to melisplatform/melis-front >= 5.0.1. This issue was addressed by restricting allowed classes when deserializing user-controlled data.

Affected configurations

Nvd
Node
melistechnologymeliscmsRange<5.0.1
VendorProductVersionCPE
melistechnologymeliscms*cpe:2.3:a:melistechnology:meliscms:*:*:*:*:*:*:*:*

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS

0.004

Percentile

73.8%

Related for NVD:CVE-2022-39298