CVE-2022-39298
CVSS V2 None
CVSS V3 Critical 9.8
Description
MelisFront is the engine that displays website hosted on Melis Platform. It deals with showing pages, plugins, URL rewritting, search optimization and SEO, etc. Attackers can deserialize arbitrary data on affected versions of `melisplatform/melis-front`, and ultimately leads to the execution of arbitrary PHP code on the system. Conducting this attack does not require authentication. Users should immediately upgrade to `melisplatform/melis-front` >= 5.0.1. This issue was addressed by restricting allowed classes when deserializing user-controlled data.
Overview
- CVE ID
- CVE-2022-39298
- Assigner
- security-advisories@github.com
- Vulnerability Status
- Analyzed
- Published Version
- 2022-10-12T23:15:09
- Last Modified Date
- 2022-10-13T17:34:52
Weakness Enumerations
CPE Configuration (Product)
| CPE | Vulnerable | Operator | Version Start | Version End |
|---|---|---|---|---|
| cpe:2.3:a:melistechnology:meliscms:*:*:*:*:*:*:*:* | 1 | OR | 5.0.1 |
CVSS Version 3
- Version
- 3.1
- Vector String
- CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
- Attack Vector
- NETWORK
- Attack Compatibility
- LOW
- Privileges Required
- NONE
- User Interaction
- NONE
- Scope
- UNCHANGED
- Confidentiality Impact
- HIGH
- Availability Impact
- HIGH
- Base Score
- 9.8
- Base Severity
- CRITICAL
- Exploitability Score
- 3.9
- Impact Score
- 5.9
Sources
| Source Name | Source URL |
|---|---|
| NIST | https://nvd.nist.gov/vuln/detail/CVE-2022-39298 |
| MITRE | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-39298 |
History
| Created | Old Value | New Value | Data Type | Notes |
|---|---|---|---|---|
| 2022-10-13 00:00:32 | Added to TrackCVE | |||
| 2022-12-07 06:57:37 | 2022-10-12T23:15Z | 2022-10-12T23:15:09 | CVE Published Date | updated |
| 2022-12-07 06:57:37 | 2022-10-13T17:34:52 | CVE Modified Date | updated | |
| 2022-12-07 06:57:37 | Analyzed | Vulnerability Status | updated |