melisplatform/melis-cms
Opgelost in
5.3.4
5.3.4
CVE-2025-10351 describes a critical SQL injection vulnerability discovered in the melisplatform/melis-cms module of the Melis platform. This flaw allows attackers to execute arbitrary SQL queries, potentially leading to unauthorized access, modification, or deletion of sensitive data. The vulnerability impacts versions of Melis CMS up to and including 5.3.3, and a patch is available in version 5.3.4.
The SQL injection vulnerability in Melis CMS poses a significant threat. An attacker could exploit this flaw to extract sensitive information stored in the database, including user credentials, financial data, and proprietary business information. Beyond data exfiltration, the attacker could potentially modify or delete data, leading to data integrity issues and service disruption. Furthermore, successful exploitation could allow for privilege escalation, granting the attacker administrative access to the entire Melis CMS system. The impact is amplified if the database contains personally identifiable information (PII), potentially leading to regulatory compliance violations and reputational damage.
CVE-2025-10351 was publicly disclosed on 2025-10-08. The vulnerability's severity and ease of exploitation suggest a potential for active exploitation. Currently, there are no publicly available proof-of-concept exploits, but the SQL injection nature of the vulnerability makes it likely that such exploits will emerge. The vulnerability is not currently listed on the CISA KEV catalog.
Organizations utilizing Melis CMS versions 5.3.3 and earlier, particularly those hosting the CMS on shared hosting environments or with limited security controls, are at significant risk. Those who have not implemented robust input validation practices or web application firewalls are also more vulnerable.
• php: Examine application logs for SQL injection attempts targeting the '/melis/MelisCms/PageEdition/getTinyTemplates' endpoint. Look for unusual SQL queries containing malicious payloads.
grep -i 'idPage=.*(select|union|insert|delete|drop)' /var/log/apache2/access.log• generic web: Use curl to test the endpoint with various SQL injection payloads and observe the response for errors or unexpected data.
curl 'http://your-melis-cms-server/melis/MelisCms/PageEdition/getTinyTemplates?idPage=1 UNION SELECT user(),database() -- ' disclosure
Exploit Status
EPSS
0.01% (2% percentiel)
CISA SSVC
The primary mitigation for CVE-2025-10351 is to immediately upgrade Melis CMS to version 5.3.4 or later. If an immediate upgrade is not feasible, consider implementing temporary workarounds such as input validation and sanitization on the 'idPage' parameter within the '/melis/MelisCms/PageEdition/getTinyTemplates' endpoint. Web application firewalls (WAFs) configured with rules to detect and block SQL injection attempts targeting this specific endpoint can also provide a layer of protection. Monitor application logs for suspicious SQL queries and unusual database activity. After upgrading, confirm the vulnerability is resolved by attempting a SQL injection payload on the affected endpoint and verifying that it is properly sanitized.
Actualice la plataforma Melis a la versión 5.3.4 o superior. Esta actualización corrige la vulnerabilidad de inyección SQL en el módulo Melis CMS. Se recomienda realizar una copia de seguridad antes de actualizar.
Kwetsbaarheidsanalyses en kritieke waarschuwingen direct in uw inbox.
CVE-2025-10351 is a critical SQL injection vulnerability affecting Melis CMS versions up to 5.3.3, allowing attackers to manipulate databases through the 'idPage' parameter.
Yes, if you are running Melis CMS versions 5.3.3 or earlier, you are vulnerable to this SQL injection flaw.
Upgrade Melis CMS to version 5.3.4 or later. As a temporary workaround, implement input validation and WAF rules.
While no public exploits are currently available, the vulnerability's severity suggests a potential for active exploitation.
Refer to the official Melis Technology website and security advisories for the latest information and updates regarding CVE-2025-10351.
Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.