CVE-2022-39298

Опубликовано: 12 окт. 2022

Источник: nvd

CVSS3: 7.7

CVSS3: 9.8

EPSS Низкий

Описание

MelisFront is the engine that displays website hosted on Melis Platform. It deals with showing pages, plugins, URL rewritting, search optimization and SEO, etc. Attackers can deserialize arbitrary data on affected versions of melisplatform/melis-front, and ultimately leads to the execution of arbitrary PHP code on the system. Conducting this attack does not require authentication. Users should immediately upgrade to melisplatform/melis-front >= 5.0.1. This issue was addressed by restricting allowed classes when deserializing user-controlled data.

Ссылки

https://github.com/melisplatform/melis-front/commit/89ae612d5f1f7aa2fb621ee8de27dffe1feb851e
Patch
Third Party Advisory
https://github.com/melisplatform/melis-front/security/advisories/GHSA-h479-2mv4-5c26
Third Party Advisory
https://github.com/melisplatform/melis-front/commit/89ae612d5f1f7aa2fb621ee8de27dffe1feb851e
Patch
Third Party Advisory
https://github.com/melisplatform/melis-front/security/advisories/GHSA-h479-2mv4-5c26
Third Party Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:melistechnology:meliscms:*:*:*:*:*:*:*:*

Версия до 5.0.1 (исключая)

EPSS

Процентиль: 75%

0.00888

Низкий

7.7 High

CVSS3

9.8 Critical

CVSS3

Дефекты

CWE-502

Связанные уязвимости

GHSA-h479-2mv4-5c26

CVSS3: 7.7

github

больше 3 лет назад

melisplatform/melis-front vulnerable to deserialization of untrusted data

EPSS

Процентиль: 75%

0.00888

Низкий

7.7 High

CVSS3

9.8 Critical

CVSS3

Дефекты

CWE-502