Melis Platform, the open source e-commerce and content management system (CMS), was vulnerable to remote code execution (RCE) via a critical deserialization vulnerability.
Tracked as CVE-2022-39297 and with a CVSS score of 9.8, the object injection flaw has been patched along with high severity path traversal bug CVE-2022-39296 and CVE-2022-3928, another, high severity deserialization flaw.
Melis Platform, which is maintained by French vendor Melis Technology, is based on Laminas, a popular PHP framework formally known as Zend, and counts Keyrus, Paco Rabanne, and La Banque Postale among its users.
The vulnerabilities were discovered by researchers from Swiss security outfit Sonar.
“The main vulnerability we identified comes from the deserialization of user data, something that is known to be unsafe for quite some time now,” Sonar vulnerability researcher Thomas Chauchefoin told The Daily Swig.
“As modern applications are very loosely coupled, it was not immediately obvious, even to an educated eye, that attackers could reach this code. This is where automated code analysis can be very powerful,” they added.
