CVE-2022-39297

HIGH

Melistechnology Meliscms < 5.0.1 - Insecure Deserialization

Title source: rule

Description

MelisCms provides a full CMS for Melis Platform, including templating system, drag'n'drop of plugins, SEO and many administration tools. Attackers can deserialize arbitrary data on affected versions of `melisplatform/melis-cms`, and ultimately leads to the execution of arbitrary PHP code on the system. Conducting this attack does not require authentication. Users should immediately upgrade to `melisplatform/melis-cms` >= 5.0.1. This issue was addressed by restricting allowed classes when deserializing user-controlled data.

References (2)

[Patch, Third Party Advisory] https://github.com/melisplatform/melis-cms/commit/d124b2474699a679a24ec52620cadceb3d4cec11

View Patch ZIP pw:eip

[Third Party Advisory] https://github.com/melisplatform/melis-cms/security/advisories/GHSA-m3m3-6gww-7gj9

Scores

CVSS v3 7.7

EPSS 0.0089

EPSS Percentile 75.2%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:L

Classification

CWE

CWE-502

Status published

Affected Products (2)

melistechnology/meliscms < 5.0.1

melisplatform/melis-cms < 5.0.1Packagist

Timeline

Published Oct 12, 2022

Tracked Since Feb 18, 2026