melisplatform/melis-cms vulnerable to deserialization of untrusted data
High severity
GitHub Reviewed
Published
Oct 11, 2022
in
melisplatform/melis-cms
•
Updated Jan 27, 2023
Description
Published to the GitHub Advisory Database
Oct 11, 2022
Reviewed
Oct 11, 2022
Published by the National Vulnerability Database
Oct 12, 2022
Last updated
Jan 27, 2023
Impact
Attackers can deserialize arbitrary data on affected versions of
melisplatform/melis-cms
, and ultimately leads to the execution of arbitrary PHP code on the system. Conducting this attack does not require authentication.Users should immediately upgrade to
melisplatform/melis-cms
>= 5.0.1.Patches
This issue was addressed by restricting allowed classes when deserializing user-controlled data.
References
For more information
If you have any questions or comments about this advisory, you can contact:
References