File upload leading to remote code execution (RCE) in the “melis-cms-slider” module of Melis Technologys Melis Platform. This vulnerability allows an attacker to upload a malicious file via a POST request to /melis/MelisCmsSlider/MelisCmsSliderDetails/saveDetailsForm using the mcsdetail_img parameter.
The product accepts path input in the form of multiple trailing dot (‘filedir….’) without appropriate validation, which can lead to ambiguous path resolution and allow an attacker to traverse the file system to unintended locations or access arbitrary files.