CVE-2022-39298: 
PHP vulnerability analysis and mitigation

A critical deserialization vulnerability (CVE-2022-39298) was discovered in MelisFront, the engine responsible for displaying websites hosted on Melis Platform. The vulnerability affects versions up to and including 5.0.0, with the issue existing since Melis 2.2.0 (approximately 5 years). The vulnerability was discovered during a security scan by the Sonar AppSec team and was patched in version 5.0.1 (Sonar Blog).

The vulnerability exists in the MelisPluginRendererController where user-controlled data from POST requests is unsafely deserialized. The vulnerable code path starts with getRequest()->getPost()->toArray(), retrieves the 'pluginHardcodedConfig' parameter, and passes it through htmlentitydecode before calling PHP's unserialize() function without proper validation. This implementation allows for arbitrary PHP object deserialization, which can be exploited through carefully crafted popchains (Sonar Blog).

The vulnerability allows attackers to execute arbitrary PHP code on the affected system without requiring authentication. This could lead to complete system compromise through remote code execution. The attack vector is particularly severe as it can be exploited without any prior authentication (GitHub Advisory).

The vulnerability was patched in Melis Platform version 5.0.1 by adding the 'allowed_classes' => false parameter to the unserialize() function calls, which restricts deserialization to simple types like strings, arrays, and numbers. Users are strongly advised to upgrade to version 5.0.1 or later (GitHub Commit).