POC for CVE-2025-10353: A file-upload vulnerability in the
melis-cms-slidermodule of Melis Platform that can lead to remote code execution (RCE) when an attacker uploads a malicious file via themcsdetail_imgparameter to:/melis/MelisCmsSlider/MelisCmsSliderDetails/saveDetailsForm
- 📄 CVE-2025-10353 on MITRE
- 📄 Melis Platform Warning on INCIBE (Spanish National Cybersecurity Institute)
- 📄 PoC:
CVE-2025-10353-POC.txt(raw HTTP request exported from Burp) — do not publish publicly.
This PoC demonstrates a file upload → RCE chain in the melis-cms-slider module.
The vulnerable endpoint accepts multipart form uploads via the mcsdetail_img field but fails to properly validate, sanitize, or restrict the uploaded content.
Under certain configurations, the uploaded file is stored in a web-accessible directory where it can be executed, resulting in remote code execution.
Additionally, the parameter mcsdetail_mcslider_id controls which slider subdirectory the uploaded web shell will be placed in.
The application begins numbering slider directories from 1, so setting this parameter to 0 causes the file to be stored in a hidden directory that is not visible through the standard web interface.
Impact includes:
- Remote execution of arbitrary code on the web application host.
- Complete compromise of web application and potential lateral movement.
- Data exfiltration, tampering or destruction.
- Burp Suite (recommended) or equivalent HTTP proxy that supports raw request replay.
- CLI tools for safe triage (
curl,wget,nc) — only for authorized tests. - Access to the PoC file
CVE-2025-10353-POC.txt(raw HTTP request exported from Burp). - Explicit written authorization to test the target system.
Important: Do not run exploit or payloads against production/third-party systems. Use isolated testbeds or VM snapshots.
- Open Burp → Repeater.
- Open
CVE-2025-10353-POC.txt, copy the raw HTTP request. - Paste into a new Repeater tab, set the proper host and press Send.
- Check response for route of the uploaded file.
- Attempt to access the endpoint provided. Example:
http://vulnerable-host.com/media/sliders/0/shell.php
This document is for authorized security testing and remediation only. Do not use the PoC or reproduction steps against systems you do not own or do not have explicit permission to test. The author is not responsible for misuse.
Made with ❤️ by Manuel Iván San Martín Castillo