Home

Description

File upload leading to remote code execution (RCE) in the “melis-cms-slider” module of Melis Technology's Melis Platform. This vulnerability allows an attacker to upload a malicious file via a POST request to '/melis/MelisCmsSlider/MelisCmsSliderDetails/saveDetailsForm' using the 'mcsdetail_img' parameter.

PUBLISHED Reserved 2025-09-12 | Published 2025-10-08 | Updated 2025-10-08 | Assigner INCIBE




CRITICAL: 9.3CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Problem types

CWE-43: Path Equivalence: 'filename....'

Product status

Default status
unaffected

Any version before 5.3.1
affected

Credits

Jesús Manzano Vázquez finder

Juan Manuel Martínez Hernández finder

Manuel Iván San Martín Castillo finder

Ángel Montilla Muñoz finder

References

www.incibe.es/...iso/multiple-vulnerabilities-melis-platform

cve.org (CVE-2025-10353)

nvd.nist.gov (CVE-2025-10353)

Download JSON