Total
2419 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2021-4451 | 1 Nintechnet | 1 Ninjafirewall | 2024-10-30 | N/A | 7.2 HIGH |
|
The NinjaFirewall plugin for WordPress is vulnerable to Authenticated PHAR Deserialization in versions up to, and including, 4.3.3. This allows authenticated attackers to perform phar deserialization on the server. This deserialization can allow other plugin or theme exploits if vulnerable software is present (WordPress, and NinjaFirewall).
|
|||||
| CVE-2024-50416 | 1 Wpclever | 1 Wpc Shop As A Customer For Woocommerce | 2024-10-29 | N/A | 8.8 HIGH |
|
Deserialization of Untrusted Data vulnerability in WPClever WPC Shop as a Customer for WooCommerce allows Object Injection.This issue affects WPC Shop as a Customer for WooCommerce: from n/a through 1.2.6.
|
|||||
| CVE-2024-49684 | 2024-10-25 | N/A | 7.2 HIGH | ||
|
Deserialization of Untrusted Data vulnerability in Revmakx Backup and Staging by WP Time Capsule allows Object Injection.This issue affects Backup and Staging by WP Time Capsule: from n/a through 1.22.21.
|
|||||
| CVE-2024-49332 | 1 Giveawayboost | 1 Giveaway Boost | 2024-10-24 | N/A | 9.8 CRITICAL |
|
Deserialization of Untrusted Data vulnerability in Giveaway Boost allows Object Injection.This issue affects Giveaway Boost: from n/a through 2.1.4.
|
|||||
| CVE-2024-49625 | 1 Brandonclark | 1 Sitebuilder Dynamic Components | 2024-10-24 | N/A | 9.8 CRITICAL |
|
Deserialization of Untrusted Data vulnerability in Brandon Clark SiteBuilder Dynamic Components allows Object Injection.This issue affects SiteBuilder Dynamic Components: from n/a through 1.0.
|
|||||
| CVE-2024-49624 | 1 Smartdevth | 1 Advanced Advertising System | 2024-10-24 | N/A | 9.8 CRITICAL |
|
Deserialization of Untrusted Data vulnerability in Smartdevth Advanced Advertising System allows Object Injection.This issue affects Advanced Advertising System: from n/a through 1.3.1.
|
|||||
| CVE-2024-49626 | 1 Piyushmca | 1 Shipyaari Shipping Management | 2024-10-23 | N/A | 9.8 CRITICAL |
|
Deserialization of Untrusted Data vulnerability in Piyushmca Shipyaari Shipping Management allows Object Injection.This issue affects Shipyaari Shipping Management: from n/a through 1.2.
|
|||||
| CVE-2024-10079 | 1 Newsignature | 1 Wp Easy Post Types | 2024-10-22 | N/A | 8.8 HIGH |
|
The WP Easy Post Types plugin for WordPress is vulnerable to PHP Object Injection in versions up to, and including, 1.4.4 via deserialization of untrusted input from the 'text' parameter in the 'ajax_import_content' function. This allows authenticated attackers, with subscriber-level permissions and above, to inject a PHP Object. No POP chain is present in the vulnerable plugin. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacke ...
Show More |
|||||
| CVE-2024-9917 | 1 Usualtool | 1 Usualtoolcms | 2024-10-19 | 6.5 MEDIUM | 4.9 MEDIUM |
|
A vulnerability, which was classified as critical, was found in HuangDou UTCMS V9. This affects an unknown part of the file app/modules/ut-template/admin/template_creat.php. The manipulation of the argument content leads to deserialization. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
|
|||||
| CVE-2024-49318 | 2024-10-18 | N/A | 9.8 CRITICAL | ||
|
Deserialization of Untrusted Data vulnerability in Scott Olson My Reading Library allows Object Injection.This issue affects My Reading Library: from n/a through 1.0.
|
|||||
| CVE-2024-45733 | 2 Microsoft, Splunk | 2 Windows, Splunk | 2024-10-16 | N/A | 8.8 HIGH |
|
In Splunk Enterprise for Windows versions below 9.2.3 and 9.1.6, a low-privileged user that does not hold the "admin" or "power" Splunk roles could perform a Remote Code Execution (RCE) due to an insecure session storage configuration.
|
|||||
| CVE-2024-48026 | 2024-10-16 | N/A | 9.8 CRITICAL | ||
|
Deserialization of Untrusted Data vulnerability in Grayson Robbins Disc Golf Manager allows Object Injection.This issue affects Disc Golf Manager: from n/a through 1.0.0.
|
|||||
| CVE-2024-49226 | 2024-10-16 | N/A | 8.8 HIGH | ||
|
Deserialization of Untrusted Data vulnerability in TAKETIN TAKETIN To WP Membership allows Object Injection.This issue affects TAKETIN To WP Membership: from n/a through 2.8.0.
|
|||||
| CVE-2024-49227 | 2024-10-16 | N/A | 8.8 HIGH | ||
|
Deserialization of Untrusted Data vulnerability in Innovaweb Sp. Z o.O. Free Stock Photos Foter allows Object Injection.This issue affects Free Stock Photos Foter: from n/a through 1.5.4.
|
|||||
| CVE-2024-49218 | 2024-10-16 | N/A | 9.8 CRITICAL | ||
|
Deserialization of Untrusted Data vulnerability in Al Imran Akash Recently allows Object Injection.This issue affects Recently: from n/a through 1.1.
|
|||||
| CVE-2024-48030 | 2024-10-16 | N/A | 9.8 CRITICAL | ||
|
Deserialization of Untrusted Data vulnerability in Gabriele Valenti Telecash Ricaricaweb allows Object Injection.This issue affects Telecash Ricaricaweb: from n/a through 2.2.
|
|||||
| CVE-2024-48028 | 2024-10-16 | N/A | 9.8 CRITICAL | ||
|
Deserialization of Untrusted Data vulnerability in Boyan Raichev IP Loc8 allows Object Injection.This issue affects IP Loc8: from n/a through 1.1.
|
|||||
| CVE-2023-25581 | 2024-10-15 | N/A | N/A | ||
|
pac4j is a security framework for Java. `pac4j-core` prior to version 4.0.0 is affected by a Java deserialization vulnerability. The vulnerability affects systems that store externally controlled values in attributes of the `UserProfile` class from pac4j-core. It can be exploited by providing an attribute that contains a serialized Java object with a special prefix `{#sb64}` and Base64 encoding. This issue may lead to Remote Code Execution (RCE) in the worst case. Although a `RestrictedObjectInp ...
Show More |
|||||
| CVE-2024-48033 | 2024-10-15 | N/A | 9.8 CRITICAL | ||
|
Deserialization of Untrusted Data vulnerability in Elie Burstein, Baptiste Gourdin Talkback allows Object Injection.This issue affects Talkback: from n/a through 1.0.
|
|||||
| CVE-2024-8922 | 1 Piwebsolution | 1 Product Enquiry For Woocommerce | 2024-10-04 | N/A | 8.8 HIGH |
|
The Product Enquiry for WooCommerce, WooCommerce product catalog plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 2.2.33.32 via deserialization of untrusted input in enquiry_detail.php. This makes it possible for authenticated attackers, with Author-level access and above, to inject a PHP Object. No known POP chain is present in the vulnerable software. If a POP chain is present via an additional plugin or theme installed on the target system, it c ...
Show More |
|||||
| CVE-2024-8885 | 2024-10-04 | N/A | 8.8 HIGH | ||
|
A local privilege escalation vulnerability in Sophos Intercept X for Windows with Central Device Encryption 2024.2.0 and older allows writing of arbitrary files.
|
|||||
| CVE-2024-7576 | 1 Telerik | 1 Ui For Wpf | 2024-10-03 | N/A | 9.8 CRITICAL |
|
In Progress Telerik UI for WPF versions prior to 2024 Q3 (2024.3.924), a code execution attack is possible through an insecure deserialization vulnerability.
|
|||||
| CVE-2024-8316 | 1 Telerik | 1 Ui For Wpf | 2024-10-03 | N/A | 7.8 HIGH |
|
In Progress Telerik UI for WPF versions prior to 2024 Q3 (2024.3.924), a code execution attack is possible through an insecure deserialization vulnerability.
|
|||||
| CVE-2024-8514 | 1 Prisna | 1 Google Website Translator | 2024-10-02 | N/A | 7.2 HIGH |
|
The Prisna GWT – Google Website Translator plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.4.11 via deserialization of untrusted input from the 'prisna_import' parameter. This makes it possible for authenticated attackers, with Administrator-level access and above, to inject a PHP Object. No known POP chain is present in the vulnerable software. If a POP chain is present via an additional plugin or theme installed on the target system, it could ...
Show More |
|||||
| CVE-2024-8353 | 1 Givewp | 1 Givewp | 2024-10-01 | N/A | 9.8 CRITICAL |
|
The GiveWP – Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 3.16.1 via deserialization of untrusted input via several parameters like 'give_title' and 'card_address'. This makes it possible for unauthenticated attackers to inject a PHP Object. The additional presence of a POP chain allows attackers to delete arbitrary files and achieve remote code execution. This is essentially the same vulnerability as CV ...
Show More |
|||||
| CVE-2024-7351 | 1 Presstigers | 1 Simple Job Board | 2024-09-27 | N/A | 7.2 HIGH |
|
The Simple Job Board plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 2.12.3 via deserialization of untrusted input when editing job applications. This makes it possible for authenticated attackers, with Editor-level access and above, to inject a PHP Object. No known POP chain is present in the vulnerable software. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbit ...
Show More |
|||||
| CVE-2022-2446 | 1 Benjaminrojas | 1 Wp Editor | 2024-09-27 | N/A | 7.2 HIGH |
|
The WP Editor plugin for WordPress is vulnerable to deserialization of untrusted input via the 'current_theme_root' parameter in versions up to, and including 1.2.9. This makes it possible for authenticated attackers with administrative privileges to call files using a PHAR wrapper that will deserialize and call arbitrary PHP Objects that can be used to perform a variety of malicious actions granted a POP chain is also present. It also requires that the attacker is successful in uploading a file ...
Show More |
|||||
| CVE-2024-8862 | 1 H2o | 1 H2o | 2024-09-20 | 7.5 HIGH | 9.8 CRITICAL |
|
A vulnerability, which was classified as critical, has been found in h2oai h2o-3 3.46.0.4. This issue affects the function getConnectionSafe of the file /dtale/chart-data/1 of the component JDBC Connection Handler. The manipulation of the argument query leads to deserialization. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
|
|||||
| CVE-2024-44902 | 1 Thinkphp | 1 Thinkphp | 2024-09-20 | N/A | 9.8 CRITICAL |
|
A deserialization vulnerability in Thinkphp v6.1.3 to v8.0.4 allows attackers to execute arbitrary code.
|
|||||
| CVE-2024-38018 | 1 Microsoft | 1 Sharepoint Server | 2024-09-18 | N/A | 8.8 HIGH |
|
Microsoft SharePoint Server Remote Code Execution Vulnerability
|
|||||
| CVE-2024-28991 | 1 Solarwinds | 1 Access Rights Manager | 2024-09-16 | N/A | 8.8 HIGH |
|
SolarWinds Access Rights Manager (ARM) was found to be susceptible to a remote code execution vulnerability. If exploited, this vulnerability would allow an authenticated user to abuse the service, resulting in remote code execution.
|
|||||
| CVE-2024-45855 | 1 Mindsdb | 1 Mindsdb | 2024-09-16 | N/A | 7.5 HIGH |
|
Deserialization of untrusted data can occur in versions 23.10.2.0 and newer of the MindsDB platform, enabling a maliciously uploaded ‘inhouse’ model to run arbitrary code on the server when using ‘finetune’ on it.
|
|||||
| CVE-2024-45854 | 1 Mindsdb | 1 Mindsdb | 2024-09-16 | N/A | 7.5 HIGH |
|
Deserialization of untrusted data can occur in versions 23.10.3.0 and newer of the MindsDB platform, enabling a maliciously uploaded ‘inhouse’ model to run arbitrary code on the server when a ‘describe’ query is run on it.
|
|||||
| CVE-2024-45853 | 1 Mindsdb | 1 Mindsdb | 2024-09-16 | N/A | 7.5 HIGH |
|
Deserialization of untrusted data can occur in versions 23.10.2.0 and newer of the MindsDB platform, enabling a maliciously uploaded ‘inhouse’ model to run arbitrary code on the server when used for a prediction.
|
|||||
| CVE-2024-45852 | 1 Mindsdb | 1 Mindsdb | 2024-09-16 | N/A | 8.8 HIGH |
|
Deserialization of untrusted data can occur in versions 23.3.2.0 and newer of the MindsDB platform, enabling a maliciously uploaded model to run arbitrary code on the server when interacted with.
|
|||||
| CVE-2024-37288 | 1 Elastic | 1 Kibana | 2024-09-16 | N/A | 8.8 HIGH |
|
A deserialization issue in Kibana can lead to arbitrary code execution when Kibana attempts to parse a YAML document containing a crafted payload. This issue only affects users that use Elastic Security’s built-in AI tools https://www.elastic.co/guide/en/security/current/ai-for-security.html and have configured an Amazon Bedrock connector https://www.elastic.co/guide/en/security/current/assistant-connect-to-bedrock.html .
|
|||||
| CVE-2024-43931 | 1 Eyecix | 1 Jobsearch Wp Job Board | 2024-09-13 | N/A | 9.8 CRITICAL |
|
Deserialization of Untrusted Data vulnerability in eyecix JobSearch allows Object Injection.This issue affects JobSearch: from n/a through 2.5.3.
|
|||||
| CVE-2024-41874 | 1 Adobe | 1 Coldfusion | 2024-09-13 | N/A | 9.8 CRITICAL |
|
ColdFusion versions 2023.9, 2021.15 and earlier are affected by a Deserialization of Untrusted Data vulnerability that could result in arbitrary code execution in the context of the current user. An attacker could exploit this vulnerability by providing crafted input to the application, which when deserialized, leads to execution of malicious code. Exploitation of this issue does not require user interaction.
|
|||||
| CVE-2024-43464 | 1 Microsoft | 1 Sharepoint Server | 2024-09-13 | N/A | 7.2 HIGH |
|
Microsoft SharePoint Server Remote Code Execution Vulnerability
|
|||||
| CVE-2024-43466 | 1 Microsoft | 1 Sharepoint Server | 2024-09-13 | N/A | 7.5 HIGH |
|
Microsoft SharePoint Server Denial of Service Vulnerability
|
|||||