Total
2419 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2016-8519 | 1 Hp | 1 Operations Orchestration | 2024-11-21 | 10.0 HIGH | 9.8 CRITICAL |
|
A remote code execution vulnerability in HPE Operations Orchestration Community edition and Enterprise edition prior to v10.70 was found.
|
|||||
| CVE-2016-8511 | 1 Hp | 1 Network Automation | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
|
A Remote Code Execution vulnerability in HPE Network Automation using RPCServlet and Java Deserialization version v9.1x, v9.2x, v10.00, v10.00.01, v10.00.02, v10.10, v10.11, v10.11.01, v10.20 was found.
|
|||||
| CVE-2016-6814 | 2 Apache, Redhat | 2 Groovy, Enterprise Linux Server | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
|
When an application with unsupported Codehaus versions of Groovy from 1.7.0 to 2.4.3, Apache Groovy 2.4.4 to 2.4.7 on classpath uses standard Java serialization mechanisms, e.g. to communicate between servers or to store local data, it was possible for an attacker to bake a special serialized object that will execute code directly when deserialized. All applications which rely on serialization and do not isolate the code which deserializes objects were subject to this vulnerability.
|
|||||
| CVE-2016-4405 | 1 Hp | 1 Business Service Management | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
|
A remote code execution vulnerability was identified in HP Business Service Management (BSM) using Apache Commons Collection Java Deserialization versions v9.20-v9.26
|
|||||
| CVE-2016-4398 | 1 Hp | 1 Network Node Manager I | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
|
A remote arbitrary code execution vulnerability was identified in HP Network Node Manager i (NNMi) Software 10.00, 10.01 (patch1), 10.01 (patch 2), 10.10 using Java Deserialization.
|
|||||
| CVE-2016-3957 | 1 Web2py | 1 Web2py | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
|
The secure_load function in gluon/utils.py in web2py before 2.14.2 uses pickle.loads to deserialize session information stored in cookies, which might allow remote attackers to execute arbitrary code by leveraging knowledge of encryption_key.
|
|||||
| CVE-2016-1487 | 1 Lexmark | 1 Markvision Enterprise | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
|
Lexmark Markvision Enterprise before 2.3.0 misuses the Apache Commons Collections Library, leading to remote code execution because of Java deserialization.
|
|||||
| CVE-2016-10753 | 1 E107 | 1 E107 | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
|
e107 2.1.2 allows PHP Object Injection with resultant SQL injection, because usersettings.php uses unserialize without an HMAC.
|
|||||
| CVE-2016-10750 | 1 Hazelcast | 1 Hazelcast | 2024-11-21 | 6.8 MEDIUM | 8.1 HIGH |
|
In Hazelcast before 3.11, the cluster join procedure is vulnerable to remote code execution via Java deserialization. If an attacker can reach a listening Hazelcast instance with a crafted JoinRequest, and vulnerable classes exist in the classpath, the attacker can run arbitrary code.
|
|||||
| CVE-2016-1000027 | 1 Vmware | 1 Spring Framework | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
|
Pivotal Spring Framework through 5.3.16 suffers from a potential remote code execution (RCE) issue if used for Java deserialization of untrusted data. Depending on how the library is implemented within a product, this issue may or not occur, and authentication may be required. NOTE: the vendor's position is that untrusted data is not an intended use case. The product's behavior will not be changed because some users rely on deserialization of trusted data.
|
|||||
| CVE-2016-0750 | 1 Infinispan | 1 Infinispan | 2024-11-21 | 6.5 MEDIUM | 4.2 MEDIUM |
|
The hotrod java client in infinispan before 9.1.0.Final automatically deserializes bytearray message contents in certain events. A malicious user could exploit this flaw by injecting a specially-crafted serialized object to attain remote code execution or conduct other attacks.
|
|||||
| CVE-2015-2020 | 1 Myscript | 1 Myscript | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
|
The MyScript SDK before 1.3 for Android might allow attackers to execute arbitrary code by leveraging a finalize method in a Serializable class that improperly passes an attacker-controlled pointer to a native function.
|
|||||
| CVE-2014-3699 | 1 Redhat | 2 Edeploy, Jboss Enterprise Web Server | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
|
eDeploy has RCE via cPickle deserialization of untrusted data
|
|||||
| CVE-2014-1860 | 1 Contao | 1 Contao Cms | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
|
Contao CMS through 3.2.4 has PHP Object Injection Vulnerabilities
|
|||||
| CVE-2014-1420 | 1 Canonical | 1 Ubuntu-ui-toolkit | 2024-11-21 | 2.1 LOW | 3.8 LOW |
|
On desktop, Ubuntu UI Toolkit's StateSaver would serialise data on tmp/ files which an attacker could use to expose potentially sensitive data. StateSaver would also open files without the O_EXCL flag. An attacker could exploit this to launch a symlink attack, though this is partially mitigated by symlink and hardlink restrictions in Ubuntu. Fixed in 1.1.1188+14.10.20140813.4-0ubuntu1.
|
|||||
| CVE-2013-7489 | 1 Beakerbrowser | 1 Beaker | 2024-11-21 | 5.2 MEDIUM | 6.8 MEDIUM |
|
The Beaker library through 1.11.0 for Python is affected by deserialization of untrusted data, which could lead to arbitrary code execution.
|
|||||
| CVE-2013-4521 | 1 Nuxeo | 1 Nuxeo | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
|
RichFaces implementation in Nuxeo Platform 5.6.0 before HF27 and 5.8.0 before HF-01 does not restrict the classes for which deserialization methods can be called, which allows remote attackers to execute arbitrary code via crafted serialized data. NOTE: this vulnerability may overlap CVE-2013-2165.
|
|||||
| CVE-2024-52430 | 1 Lis | 1 Video Gallery | 2024-11-20 | N/A | 9.8 CRITICAL |
|
Deserialization of Untrusted Data vulnerability in Lis Lis Video Gallery allows Object Injection.This issue affects Lis Video Gallery: from n/a through 0.2.1.
|
|||||
| CVE-2024-52432 | 1 Nixsolutions | 1 Nix Anti-spam Light | 2024-11-20 | N/A | 9.8 CRITICAL |
|
Deserialization of Untrusted Data vulnerability in NIX Solutions Ltd NIX Anti-Spam Light allows Object Injection.This issue affects NIX Anti-Spam Light: from n/a through 0.0.4.
|
|||||
| CVE-2024-52433 | 1 Mindstien | 1 My Geo Posts Free | 2024-11-20 | N/A | 9.8 CRITICAL |
|
Deserialization of Untrusted Data vulnerability in Mindstien Technologies My Geo Posts Free allows Object Injection.This issue affects My Geo Posts Free: from n/a through 1.2.
|
|||||
| CVE-2024-10828 | 1 Algolplus | 1 Advanced Order Export For Woocommerce | 2024-11-19 | N/A | 9.8 CRITICAL |
|
The Advanced Order Export For WooCommerce plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 3.5.5 via deserialization of untrusted input during Order export when the "Try to convert serialized values" option is enabled. This makes it possible for unauthenticated attackers to inject a PHP Object. The additional presence of a POP chain allows attackers to delete arbitrary files on the server, which can easily lead to remote code execution when the rig ...
Show More |
|||||
| CVE-2021-3838 | 1 Dompdf Project | 1 Dompdf | 2024-11-19 | N/A | 9.8 CRITICAL |
|
DomPDF before version 2.0.0 is vulnerable to PHAR deserialization due to a lack of checking on the protocol before passing it into the file_get_contents() function. An attacker who can upload files of any type to the server can pass in the phar:// protocol to unserialize the uploaded file and instantiate arbitrary PHP objects. This can lead to remote code execution, especially when DOMPdf is used with frameworks with documented POP chains like Laravel or vulnerable developer code.
|
|||||
| CVE-2024-52306 | 1 Backpackforlaravel | 1 Filemanager | 2024-11-19 | N/A | 9.8 CRITICAL |
|
FileManager provides a Backpack admin interface for files and folder. Prior to 3.0.9, deserialization of untrusted data from the mimes parameter could lead to remote code execution. This vulnerability is fixed in 3.0.9.
|
|||||
| CVE-2024-52413 | 2024-11-18 | N/A | 9.8 CRITICAL | ||
|
Deserialization of Untrusted Data vulnerability in DMC Airin Blog allows Object Injection.This issue affects Airin Blog: from n/a through 1.6.1.
|
|||||
| CVE-2024-52411 | 2024-11-18 | N/A | 9.8 CRITICAL | ||
|
Deserialization of Untrusted Data vulnerability in Flowcraft UX Design Studio Advanced Personalization allows Object Injection.This issue affects Advanced Personalization: from n/a through 1.1.2.
|
|||||
| CVE-2024-52414 | 2024-11-18 | N/A | 9.8 CRITICAL | ||
|
Deserialization of Untrusted Data vulnerability in Anthony Carbon WDES Responsive Mobile Menu allows Object Injection.This issue affects WDES Responsive Mobile Menu: from n/a through 5.3.18.
|
|||||
| CVE-2024-52410 | 2024-11-18 | N/A | 9.8 CRITICAL | ||
|
Deserialization of Untrusted Data vulnerability in Phoenixheart Referrer Detector allows Object Injection.This issue affects Referrer Detector: from n/a through 4.2.1.0.
|
|||||
| CVE-2024-52412 | 2024-11-18 | N/A | 9.8 CRITICAL | ||
|
Deserialization of Untrusted Data vulnerability in Stephen Cui Xin allows Object Injection.This issue affects Xin: from n/a through 1.0.8.1.
|
|||||
| CVE-2024-52409 | 2024-11-18 | N/A | 9.8 CRITICAL | ||
|
Deserialization of Untrusted Data vulnerability in Phan An AJAX Random Posts allows Object Injection.This issue affects AJAX Random Posts: from n/a through 0.3.3.
|
|||||
| CVE-2024-10962 | 2024-11-15 | N/A | 8.8 HIGH | ||
|
The Migration, Backup, Staging – WPvivid plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 0.9.107 via deserialization of untrusted input in the 'replace_row_data' and 'replace_serialize_data' functions. This makes it possible for unauthenticated attackers to inject a PHP Object. No known POP chain is present in the vulnerable software. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the att ...
Show More |
|||||
| CVE-2024-44102 | 1 Siemens | 1 Telecontrol Server Basic | 2024-11-13 | N/A | 10.0 CRITICAL |
|
A vulnerability has been identified in PP TeleControl Server Basic 1000 to 5000 V3.1 (6NH9910-0AA31-0AE1) (All versions < V3.1.2.1 with redundancy configured), PP TeleControl Server Basic 256 to 1000 V3.1 (6NH9910-0AA31-0AD1) (All versions < V3.1.2.1 with redundancy configured), PP TeleControl Server Basic 32 to 64 V3.1 (6NH9910-0AA31-0AF1) (All versions < V3.1.2.1 with redundancy configured), PP TeleControl Server Basic 64 to 256 V3.1 (6NH9910-0AA31-0AC1) (All versions < V3.1.2.1 with redundanc ...
Show More |
|||||
| CVE-2024-7434 | 1 Ultrapress | 1 Ultrapress | 2024-11-13 | N/A | 8.8 HIGH |
|
The UltraPress theme for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.2.1 via deserialization of untrusted input. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject a PHP Object. No known POP chain is present in the vulnerable software. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive da ...
Show More |
|||||
| CVE-2024-7433 | 1 Ultrapress | 1 Empowerment | 2024-11-13 | N/A | 8.8 HIGH |
|
The Empowerment theme for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.0.2 via deserialization of untrusted input. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject a PHP Object. No known POP chain is present in the vulnerable software. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive d ...
Show More |
|||||
| CVE-2024-7432 | 1 Ultrapress | 1 Unseen Blog | 2024-11-13 | N/A | 8.8 HIGH |
|
The Unseen Blog theme for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.0.0 via deserialization of untrusted input. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject a PHP Object. No known POP chain is present in the vulnerable software. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive d ...
Show More |
|||||
| CVE-2024-47636 | 1 Eyecix | 1 Jobsearch Wp Job Board | 2024-11-12 | N/A | 9.8 CRITICAL |
|
Deserialization of Untrusted Data vulnerability in Eyecix JobSearch allows Object Injection.This issue affects JobSearch: from n/a through 2.5.9.
|
|||||
| CVE-2024-47074 | 1 Dataease | 1 Dataease | 2024-11-12 | N/A | 9.8 CRITICAL |
|
DataEase is an open source data visualization analysis tool. In Dataease, the PostgreSQL data source in the data source function can customize the JDBC connection parameters and the PG server target to be connected. In backend/src/main/java/io/dataease/provider/datasource/JdbcProvider.java, PgConfiguration class don't filter any parameters, directly concat user input. So, if the attacker adds some parameters in JDBC url, and connect to evil PG server, the attacker can trigger the PG jdbc deseria ...
Show More |
|||||
| CVE-2024-10749 | 1 Thinkadmin | 1 Thinkadmin | 2024-11-06 | 4.6 MEDIUM | 8.1 HIGH |
|
A vulnerability, which was classified as critical, was found in ThinkAdmin up to 6.1.67. Affected is the function script of the file /app/admin/controller/api/Plugs.php. The manipulation of the argument uptoken leads to deserialization. It is possible to launch the attack remotely. The complexity of an attack is rather high. The exploitability is told to be difficult. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not re ...
Show More |
|||||
| CVE-2024-48206 | 2024-11-01 | N/A | 9.8 CRITICAL | ||
|
A Deserialization of Untrusted Data vulnerability in chainer v7.8.1.post1 leads to execution of arbitrary code.
|
|||||
| CVE-2024-50507 | 2024-11-01 | N/A | 9.8 CRITICAL | ||
|
Deserialization of Untrusted Data vulnerability in Daniel Schmitzer DS.DownloadList allows Object Injection.This issue affects DS.DownloadList: from n/a through 1.3.
|
|||||
| CVE-2024-10456 | 2024-11-01 | N/A | 9.8 CRITICAL | ||
|
Delta Electronics InfraSuite Device Master versions prior to 1.0.12 are affected by a deserialization vulnerability that targets the Device-Gateway, which could allow deserialization of arbitrary .NET objects prior to authentication.
|
|||||