CVE-2022-39298 HIGH

CVE-2022-39298: Deserialization of untrusted data in MelisFront

Vendor Melisplatform
Product melis-front
Weakness CWE-502 · Unsafe deserialization
Published October 12, 2022
Last update April 23, 2025

CVSS base score

7.7/10
Attack vector Network
Attack complexity High
Privileges required None
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:L

What the vulnerability does

01Description

MelisFront is the engine that displays website hosted on Melis Platform. It deals with showing pages, plugins, URL rewritting, search optimization and SEO, etc. Attackers can deserialize arbitrary data on affected versions of `melisplatform/melis-front`, and ultimately leads to the execution of arbitrary PHP code on the system. Conducting this attack does not require authentication. Users should immediately upgrade to `melisplatform/melis-front` >= 5.0.1. This issue was addressed by restricting allowed classes when deserializing user-controlled data.

Key dates

02Disclosure timeline

October 12, 2022 CVE published
April 23, 2025 Record updated