Vulnerabilities > CVE-2022-39297 - Deserialization of Untrusted Data vulnerability in Melistechnology Meliscms

CVSS 9.8 - CRITICAL

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

NONE

Confidentiality impact

HIGH

Integrity impact

HIGH

Availability impact

HIGH

network

low complexity

melistechnology

CWE-502

critical

NVD

Published: 2022-10-12

Updated: 2022-10-13

Summary

MelisCms provides a full CMS for Melis Platform, including templating system, drag'n'drop of plugins, SEO and many administration tools. Attackers can deserialize arbitrary data on affected versions of `melisplatform/melis-cms`, and ultimately leads to the execution of arbitrary PHP code on the system. Conducting this attack does not require authentication. Users should immediately upgrade to `melisplatform/melis-cms` >= 5.0.1. This issue was addressed by restricting allowed classes when deserializing user-controlled data.

Vulnerable Configurations

Part	Description	Count
Application	Melistechnology Melistechnology Meliscms - Melistechnology Meliscms 2.1 Melistechnology Meliscms 2.1.1 Melistechnology Meliscms 2.2.0 Melistechnology Meliscms 2.2.1 Melistechnology Meliscms 2.3.0 Melistechnology Meliscms 2.3.1 Melistechnology Meliscms 2.4.0 Melistechnology Meliscms 2.5.0 Melistechnology Meliscms 3.0.0 Melistechnology Meliscms 3.0.1 Melistechnology Meliscms 3.0.2 Melistechnology Meliscms 3.0.3 Melistechnology Meliscms 3.0.4 Melistechnology Meliscms 3.0.5 Melistechnology Meliscms 3.0.6 Melistechnology Meliscms 3.0.7 Melistechnology Meliscms 3.0.8 Melistechnology Meliscms 3.0.9 Melistechnology Meliscms 3.0.10 Melistechnology Meliscms 3.1.0 Melistechnology Meliscms 3.1.1 Melistechnology Meliscms 3.1.2 Melistechnology Meliscms 3.1.3 Melistechnology Meliscms 3.1.4 Melistechnology Meliscms 3.1.5 Melistechnology Meliscms 3.1.6 Melistechnology Meliscms 3.1.7 Melistechnology Meliscms 3.1.8 Melistechnology Meliscms 3.1.9 Melistechnology Meliscms 3.1.10 Melistechnology Meliscms 3.1.11 Melistechnology Meliscms 3.1.12 Melistechnology Meliscms 3.1.13 Melistechnology Meliscms 3.2.0 Melistechnology Meliscms 3.2.1 Melistechnology Meliscms 3.2.2 Melistechnology Meliscms 3.2.3 Melistechnology Meliscms 3.2.4 Melistechnology Meliscms 3.2.5 Melistechnology Meliscms 3.2.6 Melistechnology Meliscms 3.2.7 Melistechnology Meliscms 3.2.8 Melistechnology Meliscms 3.2.9 Melistechnology Meliscms 3.2.10 Melistechnology Meliscms 3.2.11 Melistechnology Meliscms 3.2.12 Melistechnology Meliscms 3.2.13 Melistechnology Meliscms 3.2.14 Melistechnology Meliscms 4.0.0 Melistechnology Meliscms 4.0.1 Melistechnology Meliscms 4.0.2 Melistechnology Meliscms 4.0.3 Melistechnology Meliscms 4.0.4 Melistechnology Meliscms 4.0.5 Melistechnology Meliscms 4.0.6 Melistechnology Meliscms 4.0.7 Melistechnology Meliscms 4.0.8 Melistechnology Meliscms 4.0.9 Melistechnology Meliscms 4.0.10 Melistechnology Meliscms 4.0.11 Melistechnology Meliscms 4.1.0 Melistechnology Meliscms 4.1.1 Melistechnology Meliscms 4.1.2 Melistechnology Meliscms 5.0.0	65

Common Weakness Enumeration (CWE)

CWE-502 - Deserialization of Untrusted Data

Summary

Vulnerable Configurations

Common Weakness Enumeration (CWE)

References