Miggo Logo
Miggo Vulnerability Database
CVE-2025-10352

CVE-2025-10352: Melis Platform CMS Unauthenticated Admin Account Creation

N/A

CVSS Score

Basic Information

CVE ID
CVE-2025-10352
GHSA ID
GHSA-p3vc-g9f9-mgw4
EPSS Score
0.21085%
CWE
CWE-862
Published
10/8/2025
Updated
10/9/2025
KEV Status
No
Technology
TechnologyPHP

Technical Details

CVSS Vector
-
Package NameEcosystemVulnerable VersionsFirst Patched Version
melisplatform/melis-corecomposer< 5.3.115.3.11

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability lies in the melis-core module of the Melis Platform, specifically within the ToolUserController. The core issue is a missing authorization check across multiple functions responsible for user management. The vulnerability allows an unauthenticated attacker to perform administrative actions such as creating, deleting, and updating user accounts. The provided commit e938dd14e108b921e6a399b35976dfb429c41df5 clearly shows the addition of access control checks at the beginning of the addNewUserAction, deleteUserAction, and updateUserInfoAction functions in src/Controller/ToolUserController.php. Before this patch, these functions were publicly accessible, leading to the described unauthenticated account creation vulnerability. The vulnerable functions are MelisCore\Controller\ToolUserController::addNewUserAction, MelisCore\Controller\ToolUserController::deleteUserAction, and MelisCore\Controller\ToolUserController::updateUserInfoAction. An attacker exploiting this vulnerability would cause these functions to appear in a runtime profile or stack trace.

Vulnerable functions

MelisCore\Controller\ToolUserController::addNewUserAction
src/Controller/ToolUserController.php
The `addNewUserAction` function is responsible for creating new users. Prior to the patch, this function did not perform any authorization checks, allowing an unauthenticated attacker to create a new user, potentially with administrative privileges, by sending a request to the '/melis/MelisCore/ToolUser/addNewUser' endpoint. The patch adds an access check using `$this->hasAccess(static::TOOL_KEY)` to ensure that only authorized users can create new users.
MelisCore\Controller\ToolUserController::deleteUserAction
src/Controller/ToolUserController.php
The `deleteUserAction` function is responsible for deleting users. Similar to `addNewUserAction`, this function was missing an authorization check. This would allow an unauthenticated attacker to delete any user from the system. The patch mitigates this by adding the same access control check as in `addNewUserAction`.
MelisCore\Controller\ToolUserController::updateUserInfoAction
src/Controller/ToolUserController.php
The `updateUserInfoAction` function is responsible for updating user information. This function also lacked proper authorization checks, enabling an unauthenticated attacker to modify user data. The patch addresses this vulnerability by implementing an access control check at the beginning of the function.

WAF Protection Rules

WAF Rule

Vuln*r**ility in t** m*lis-*or* mo*ul* o* M*lis T***nolo*y's M*lis Pl*t*orm, w*i**, i* *xploit**, *llows *n un*ut**nti**t** *tt**k*r to *r**t* *n **ministr*tor ***ount vi* * r*qu*st to '/m*lis/M*lis*or*/ToolUs*r/***N*wUs*r'.

Reasoning

T** vuln*r**ility li*s in t** `m*lis-*or*` mo*ul* o* t** M*lis Pl*t*orm, sp**i*i**lly wit*in t** `ToolUs*r*ontroll*r`. T** *or* issu* is * missin* *ut*oriz*tion ****k **ross multipl* *un*tions r*sponsi*l* *or us*r m*n***m*nt. T** vuln*r**ility *llows