Vulnerabilities (CVE)

Filtered by CWE-502
Total 896 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2022-46366 1 Apache 1 Tapestry 2023-02-03 N/A 9.8 CRITICAL
** UNSUPPORTED WHEN ASSIGNED ** Apache Tapestry 3.x allows deserialization of untrusted data, leading to remote code execution. This issue is similar to but distinct from CVE-2020-17531, which applies the the (also unsupported) 4.x version line. NOTE: This vulnerability only affects Apache Tapestry version line 3.x, which is no longer supported by the maintainer. Users are recommended to upgrade to a supported version line of Apache Tapestry.
CVE-2019-4279 1 Ibm 1 Websphere Application Server 2023-02-03 10.0 HIGH 9.8 CRITICAL
IBM WebSphere Application Server 8.5 and 9.0 could allow a remote attacker to execute arbitrary code on the system with a specially-crafted sequence of serialized objects from untrusted sources. IBM X-Force ID: 160445.
CVE-2022-36944 2 Fedoraproject, Scala-lang 2 Fedora, Scala 2023-02-03 N/A 9.8 CRITICAL
Scala 2.13.x before 2.13.9 has a Java deserialization chain in its JAR file. On its own, it cannot be exploited. There is only a risk in conjunction with Java object deserialization within an application. In such situations, it allows attackers to erase contents of arbitrary files, make network connections, or possibly run arbitrary code (specifically, Function0 functions) via a gadget chain.
CVE-2020-17531 1 Apache 1 Tapestry 2023-02-03 7.5 HIGH 9.8 CRITICAL
A Java Serialization vulnerability was found in Apache Tapestry 4. Apache Tapestry 4 will attempt to deserialize the "sp" parameter even before invoking the page's validate method, leading to deserialization without authentication. Apache Tapestry 4 reached end of life in 2008 and no update to address this issue will be released. Apache Tapestry 5 versions are not vulnerable to this issue. Users of Apache Tapestry 4 should upgrade to the latest Apache Tapestry 5 version.
CVE-2016-5003 1 Apache 1 Ws-xmlrpc 2023-02-02 7.5 HIGH 9.8 CRITICAL
A flaw was discovered in the Apache XML-RPC (ws-xmlrpc) library that deserializes untrusted data when enabledForExtensions setting is enabled. A remote attacker could use this vulnerability to execute arbitrary code via a crafted serialized Java object in a <ex:serializable> element.
CVE-2019-14892 3 Apache, Fasterxml, Redhat 8 Geode, Jackson-databind, Decision Manager and 5 more 2023-02-02 7.5 HIGH 9.8 CRITICAL
A flaw was discovered in jackson-databind in versions before 2.9.10, and, where it would permit polymorphic deserialization of a malicious object using commons-configuration 1 and 2 JNDI classes. An attacker could use this flaw to execute arbitrary code.
CVE-2018-3972 1 Getmonero 1 Monero 2023-02-02 7.5 HIGH 9.8 CRITICAL
An exploitable code execution vulnerability exists in the Levin deserialization functionality of the Epee library, as used in Monero 'Lithium Luna' (v0.12.2.0-master-ffab6700) and other cryptocurrencies. A specially crafted network packet can cause a logic flaw, resulting in code execution. An attacker can send a packet to trigger this vulnerability.
CVE-2023-24997 2023-02-01 N/A N/A
Deserialization of Untrusted Data vulnerability in Apache Software Foundation Apache InLong.This issue affects Apache InLong: from 1.1.0 through 1.5.0. Users are advised to upgrade to Apache InLong's latest version or cherry-pick to solve it.
CVE-2022-31710 1 Vmware 1 Vrealize Log Insight 2023-02-01 N/A 7.5 HIGH
vRealize Log Insight contains a deserialization vulnerability. An unauthenticated malicious actor can remotely trigger the deserialization of untrusted data which could result in a denial of service.
CVE-2022-3359 1 Averta 1 Shortcodes And Extra Features For Phlox Theme 2023-02-01 N/A 8.8 HIGH
The Shortcodes and extra features for Phlox theme WordPress plugin before 2.10.7 unserializes the content of an imported file, which could lead to PHP object injection when a user imports (intentionally or not) a malicious file and a suitable gadget chain is present on the blog.
CVE-2022-3425 1 Sumo 1 Google Analyticator 2023-01-31 N/A 7.2 HIGH
The Analyticator WordPress plugin before 6.5.6 unserializes user input provided via the settings, which could allow high-privilege users such as admin to perform PHP Object Injection when a suitable gadget is present.
CVE-2022-4680 2023-01-31 N/A N/A
The Revive Old Posts WordPress plugin before 9.0.11 unserializes user input provided via the settings, which could allow high privilege users such as admin to perform PHP Object Injection when a suitable gadget is present.
CVE-2022-44645 2023-01-31 N/A N/A
In Apache Linkis <=1.3.0 when used with the MySQL Connector/J, a deserialization vulnerability with possible remote code execution impact exists when an attacker has write access to a database and configures new datasource with a MySQL data source and malicious parameters. Therefore, the parameters in the jdbc url should be blacklisted. Versions of Apache Linkis <= 1.3.0 will be affected. We recommend users to upgrade the version of Linkis to version 1.3.1.
CVE-2022-32521 2023-01-31 N/A N/A
A CWE 502: Deserialization of Untrusted Data vulnerability exists that could allow code to be remotely executed on the server when unsafely deserialized data is posted to the web server. Affected Products: Data Center Expert (Versions prior to V7.9.0)
CVE-2022-4323 1 Sumo 1 Google Analyticator 2023-01-30 N/A 7.2 HIGH
The Analyticator WordPress plugin before 6.5.6 unserializes user input provided via the settings, which could allow high privilege users such as admin to perform PHP Object Injection when a suitable gadget is present
CVE-2022-45923 1 Opentext 1 Opentext Extended Ecm 2023-01-30 N/A 8.8 HIGH
An issue was discovered in OpenText Content Suite Platform 22.1 ( The Common Gateway Interface (CGI) program cs.exe allows an attacker to increase/decrease an arbitrary memory address by 1 and trigger a call to a method of a vftable with a vftable pointer value chosen by the attacker.
CVE-2023-22850 1 Tiki 1 Tiki 2023-01-25 N/A 8.8 HIGH
Tiki before 24.1, when the Spreadsheets feature is enabled, allows lib/sheet/grid.php PHP Object Injection because of an unserialize call.
CVE-2022-4890 1 Predictapp Project 1 Predictapp 2023-01-24 N/A 9.8 CRITICAL
A vulnerability, which was classified as critical, has been found in abhilash1985 PredictApp. This issue affects some unknown processing of the file config/initializers/new_framework_defaults_7_0.rb of the component Cookie Handler. The manipulation leads to deserialization. The attack may be initiated remotely. The name of the patch is b067372f3ee26fe1b657121f0f41883ff4461a06. It is recommended to apply a patch to fix this issue. The associated identifier of this vulnerability is VDB-218387.
CVE-2022-41778 1 Deltaww 1 Infrasuite Device Master 2023-01-23 N/A 8.8 HIGH
Delta Electronics InfraSuite Device Master versions 00.00.01a and prior deserialize user-supplied data provided through the Device-DataCollect service port without proper verification. An attacker could provide malicious serialized objects to execute arbitrary code upon deserialization.
CVE-2022-46478 1 Datax-web Project 1 Datax-web 2023-01-23 N/A 9.8 CRITICAL
The RPC interface in datax-web v1.0.0 and v2.0.0 to v2.1.2 contains no permission checks by default which allows attackers to execute arbitrary commands via crafted Hessian serialized data.