CVE-2025-10353 Scanner

Melis Platform is a software solution developed by Melis Technology, primarily used by web developers and businesses for building and managing content-rich websites. It is widely utilized for its scalability and flexibility in delivering dynamic web content. The platform supports a range of customizable features, making it an effective tool for developing enterprise-level websites and applications. Its modular architecture allows developers to extend functionality as needed to meet specific business requirements. Melis Platform is often chosen by companies seeking a robust CMS (Content Management System) solution that can handle complex content workflows and integration with other digital tools. Its user-friendly interface and comprehensive support make it a popular choice for both large organizations and individual developers.

An unrestricted file upload vulnerability means attackers can upload malicious files without proper validation. This can lead to several security issues, including remote code execution, which can compromise the entire system. The vulnerability occurs due to insufficient validation of the 'mcsdetail_img' parameter in the specified endpoint. Attackers can upload any file type, circumventing standard security protocols. Such vulnerabilities often arise from failure to restrict file types or validate file content thoroughly. This type of security flaw is particularly dangerous as it provides an entry point for malicious actors into the system.

The technical details of this vulnerability involve the manipulation of multipart form-data requests to the Melis Platform. By crafting a POST request containing malicious files, specifically through the '/melis/MelisCmsSlider/MelisCmsSliderDetails/saveDetailsForm' endpoint, attackers exploit insufficient checks in the 'mcsdetail_img' parameter. The safeguard against file types or file content inadequately prevents attack vectors leading to remote file upload. If successful, a follow-up GET request confirms the file's execution and availability on the server. The system fails to handle these requests securely, enabling execution of malicious code.

Exploiting this vulnerability could potentially allow attackers full control over the affected system. The malicious files can execute arbitrary code, compromising sensitive data and allow unauthorized operations. Attackers can deface websites, install backdoors, or manipulate system files, leading to a complete system compromise. In worst-case scenarios, this could render the platform inoperable, disrupt business operations, and cause significant financial and reputational damage. Effective exploitation of this flaw could also facilitate further attacks, leveraging the compromised system to target connected networks or services.

REFERENCES

• https://github.com/ivansmc00/CVE-2025-10353-POC
• https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-melis-platform
• https://nvd.nist.gov/vuln/detail/CVE-2025-10353