Total
896 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2022-46366 | 1 Apache | 1 Tapestry | 2023-02-03 | N/A | 9.8 CRITICAL |
** UNSUPPORTED WHEN ASSIGNED ** Apache Tapestry 3.x allows deserialization of untrusted data, leading to remote code execution. This issue is similar to but distinct from CVE-2020-17531, which applies the the (also unsupported) 4.x version line. NOTE: This vulnerability only affects Apache Tapestry version line 3.x, which is no longer supported by the maintainer. Users are recommended to upgrade to a supported version line of Apache Tapestry. | |||||
CVE-2019-4279 | 1 Ibm | 1 Websphere Application Server | 2023-02-03 | 10.0 HIGH | 9.8 CRITICAL |
IBM WebSphere Application Server 8.5 and 9.0 could allow a remote attacker to execute arbitrary code on the system with a specially-crafted sequence of serialized objects from untrusted sources. IBM X-Force ID: 160445. | |||||
CVE-2022-36944 | 2 Fedoraproject, Scala-lang | 2 Fedora, Scala | 2023-02-03 | N/A | 9.8 CRITICAL |
Scala 2.13.x before 2.13.9 has a Java deserialization chain in its JAR file. On its own, it cannot be exploited. There is only a risk in conjunction with Java object deserialization within an application. In such situations, it allows attackers to erase contents of arbitrary files, make network connections, or possibly run arbitrary code (specifically, Function0 functions) via a gadget chain. | |||||
CVE-2020-17531 | 1 Apache | 1 Tapestry | 2023-02-03 | 7.5 HIGH | 9.8 CRITICAL |
A Java Serialization vulnerability was found in Apache Tapestry 4. Apache Tapestry 4 will attempt to deserialize the "sp" parameter even before invoking the page's validate method, leading to deserialization without authentication. Apache Tapestry 4 reached end of life in 2008 and no update to address this issue will be released. Apache Tapestry 5 versions are not vulnerable to this issue. Users of Apache Tapestry 4 should upgrade to the latest Apache Tapestry 5 version. | |||||
CVE-2016-5003 | 1 Apache | 1 Ws-xmlrpc | 2023-02-02 | 7.5 HIGH | 9.8 CRITICAL |
A flaw was discovered in the Apache XML-RPC (ws-xmlrpc) library that deserializes untrusted data when enabledForExtensions setting is enabled. A remote attacker could use this vulnerability to execute arbitrary code via a crafted serialized Java object in a <ex:serializable> element. | |||||
CVE-2019-14892 | 3 Apache, Fasterxml, Redhat | 8 Geode, Jackson-databind, Decision Manager and 5 more | 2023-02-02 | 7.5 HIGH | 9.8 CRITICAL |
A flaw was discovered in jackson-databind in versions before 2.9.10, 2.8.11.5 and 2.6.7.3, where it would permit polymorphic deserialization of a malicious object using commons-configuration 1 and 2 JNDI classes. An attacker could use this flaw to execute arbitrary code. | |||||
CVE-2018-3972 | 1 Getmonero | 1 Monero | 2023-02-02 | 7.5 HIGH | 9.8 CRITICAL |
An exploitable code execution vulnerability exists in the Levin deserialization functionality of the Epee library, as used in Monero 'Lithium Luna' (v0.12.2.0-master-ffab6700) and other cryptocurrencies. A specially crafted network packet can cause a logic flaw, resulting in code execution. An attacker can send a packet to trigger this vulnerability. | |||||
CVE-2023-24997 | 2023-02-01 | N/A | N/A | ||
Deserialization of Untrusted Data vulnerability in Apache Software Foundation Apache InLong.This issue affects Apache InLong: from 1.1.0 through 1.5.0. Users are advised to upgrade to Apache InLong's latest version or cherry-pick https://github.com/apache/inlong/pull/7223 https://github.com/apache/inlong/pull/7223 to solve it. | |||||
CVE-2022-31710 | 1 Vmware | 1 Vrealize Log Insight | 2023-02-01 | N/A | 7.5 HIGH |
vRealize Log Insight contains a deserialization vulnerability. An unauthenticated malicious actor can remotely trigger the deserialization of untrusted data which could result in a denial of service. | |||||
CVE-2022-3359 | 1 Averta | 1 Shortcodes And Extra Features For Phlox Theme | 2023-02-01 | N/A | 8.8 HIGH |
The Shortcodes and extra features for Phlox theme WordPress plugin before 2.10.7 unserializes the content of an imported file, which could lead to PHP object injection when a user imports (intentionally or not) a malicious file and a suitable gadget chain is present on the blog. | |||||
CVE-2022-3425 | 1 Sumo | 1 Google Analyticator | 2023-01-31 | N/A | 7.2 HIGH |
The Analyticator WordPress plugin before 6.5.6 unserializes user input provided via the settings, which could allow high-privilege users such as admin to perform PHP Object Injection when a suitable gadget is present. | |||||
CVE-2022-4680 | 2023-01-31 | N/A | N/A | ||
The Revive Old Posts WordPress plugin before 9.0.11 unserializes user input provided via the settings, which could allow high privilege users such as admin to perform PHP Object Injection when a suitable gadget is present. | |||||
CVE-2022-44645 | 2023-01-31 | N/A | N/A | ||
In Apache Linkis <=1.3.0 when used with the MySQL Connector/J, a deserialization vulnerability with possible remote code execution impact exists when an attacker has write access to a database and configures new datasource with a MySQL data source and malicious parameters. Therefore, the parameters in the jdbc url should be blacklisted. Versions of Apache Linkis <= 1.3.0 will be affected. We recommend users to upgrade the version of Linkis to version 1.3.1. | |||||
CVE-2022-32521 | 2023-01-31 | N/A | N/A | ||
A CWE 502: Deserialization of Untrusted Data vulnerability exists that could allow code to be remotely executed on the server when unsafely deserialized data is posted to the web server. Affected Products: Data Center Expert (Versions prior to V7.9.0) | |||||
CVE-2022-4323 | 1 Sumo | 1 Google Analyticator | 2023-01-30 | N/A | 7.2 HIGH |
The Analyticator WordPress plugin before 6.5.6 unserializes user input provided via the settings, which could allow high privilege users such as admin to perform PHP Object Injection when a suitable gadget is present | |||||
CVE-2022-45923 | 1 Opentext | 1 Opentext Extended Ecm | 2023-01-30 | N/A | 8.8 HIGH |
An issue was discovered in OpenText Content Suite Platform 22.1 (16.2.19.1803). The Common Gateway Interface (CGI) program cs.exe allows an attacker to increase/decrease an arbitrary memory address by 1 and trigger a call to a method of a vftable with a vftable pointer value chosen by the attacker. | |||||
CVE-2023-22850 | 1 Tiki | 1 Tiki | 2023-01-25 | N/A | 8.8 HIGH |
Tiki before 24.1, when the Spreadsheets feature is enabled, allows lib/sheet/grid.php PHP Object Injection because of an unserialize call. | |||||
CVE-2022-4890 | 1 Predictapp Project | 1 Predictapp | 2023-01-24 | N/A | 9.8 CRITICAL |
A vulnerability, which was classified as critical, has been found in abhilash1985 PredictApp. This issue affects some unknown processing of the file config/initializers/new_framework_defaults_7_0.rb of the component Cookie Handler. The manipulation leads to deserialization. The attack may be initiated remotely. The name of the patch is b067372f3ee26fe1b657121f0f41883ff4461a06. It is recommended to apply a patch to fix this issue. The associated identifier of this vulnerability is VDB-218387. | |||||
CVE-2022-41778 | 1 Deltaww | 1 Infrasuite Device Master | 2023-01-23 | N/A | 8.8 HIGH |
Delta Electronics InfraSuite Device Master versions 00.00.01a and prior deserialize user-supplied data provided through the Device-DataCollect service port without proper verification. An attacker could provide malicious serialized objects to execute arbitrary code upon deserialization. | |||||
CVE-2022-46478 | 1 Datax-web Project | 1 Datax-web | 2023-01-23 | N/A | 9.8 CRITICAL |
The RPC interface in datax-web v1.0.0 and v2.0.0 to v2.1.2 contains no permission checks by default which allows attackers to execute arbitrary commands via crafted Hessian serialized data. |