Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Multiple vulnerabilities in Melis Platform

Posted date 08/10/2025
Identificador
INCIBE-2025-0547
Affected Resources
  • Melis Platform melis-cms module, versions prior to 5.3.4.
  • Melis Platform melis-core module, versions prior to 5.3.11.
  • Melis Platform melis-cms-slider module, versions prior to 5.3.1.
Description

INCIBE has coordinated the publication of three critical vulnerabilities affecting Melis Technology's Melis Platform, an all-in-one digital platform designed to create, manage and deploy web applications. The vulnerabilities were discovered by Jesús Manzano Vázquez, Juan Manuel Martínez Hernández, Manuel Iván San Martín Castillo and Ángel Montilla Muñoz.

These vulnerabilities have been assigned the following codes, CVSS v4.0 base score, CVSS vector and CWE vulnerability type for each vulnerability:

  • CVE-2025-10351: CVSS v4.0: 9.3 | CVSS AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N | CWE-89
  • CVE-2025-10352: CVSS v4.0: 9.3 | CVSS AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N | CWE-862
  • CVE-2025-10353: CVSS v4.0: 9.3 | CVSS AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N | CWE-43
Solution

The vulnerabilities have been fixed by the Melis Technology team in the melis-cms v5.3.4, melis-core v5.3.11, and melis-cms-slider v.5.3.1 modules.

Detail
  • CVE-2025-10351: SQL injection vulnerability based on the melis-cms module of the Melis platform from Melis Technology. This vulnerability allows an attacker to retrieve, create, update, and delete databases through the 'idPage' parameter in the '/melis/MelisCms/PageEdition/getTinyTemplates' endpoint.
  • CVE-2025-10352: vulnerability in the melis-core module of Melis Technology's Melis Platform, which, if exploited, allows an unauthenticated attacker to create an administrator account via a request to '/melis/MelisCore/ToolUser/addNewUser'.
  • CVE-2025-10353: file upload leading to remote code execution (RCE) in the “melis-cms-slider” module of Melis Technology's Melis Platform. This vulnerability allows an attacker to upload a malicious file via a POST request to '/melis/MelisCmsSlider/MelisCmsSliderDetails/saveDetailsForm' using the 'mcsdetail_img' parameter.
CVE
Explotación
No
Nuevo Fabricante
Melis Technology
Identificador CVE
CVE-2025-10351
Severidad
Crítica
Explotación
No
Nuevo Fabricante
Melis Technology
Identificador CVE
CVE-2025-10352
Severidad
Crítica
Explotación
No
Nuevo Fabricante
Melis Technology
Identificador CVE
CVE-2025-10353
Severidad
Crítica
References list
Melis Platform
Etiquetas