Total
1207 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2017-18375 | 1 Ampache | 1 Ampache | 2023-12-10 | 6.5 MEDIUM | 8.8 HIGH |
Ampache 3.8.3 allows PHP Object Instantiation via democratic.ajax.php and democratic.class.php. | |||||
CVE-2018-12680 | 1 Coapthon Project | 1 Coapthon | 2023-12-10 | 5.0 MEDIUM | 7.5 HIGH |
The Serialize.deserialize() method in CoAPthon 3.1, 4.0.0, 4.0.1, and 4.0.2 mishandles certain exceptions, leading to a denial of service in applications that use this library (e.g., the standard CoAP server, CoAP client, CoAP reverse proxy, example collect CoAP server and client) when they receive crafted CoAP messages. | |||||
CVE-2016-10753 | 1 E107 | 1 E107 | 2023-12-10 | 6.5 MEDIUM | 8.8 HIGH |
e107 2.1.2 allows PHP Object Injection with resultant SQL injection, because usersettings.php uses unserialize without an HMAC. | |||||
CVE-2019-11011 | 1 Akamai | 1 Cloudtest | 2023-12-10 | 7.5 HIGH | 9.8 CRITICAL |
Akamai CloudTest before 58.30 allows remote code execution. | |||||
CVE-2019-14224 | 1 Alfresco | 1 Alfresco | 2023-12-10 | 9.0 HIGH | 7.2 HIGH |
An issue was discovered in Alfresco Community Edition 5.2 201707. By leveraging multiple components in the Alfresco Software applications, an exploit chain was observed that allows an attacker to achieve remote code execution on the victim machine. The attacker must upload malicious Solr configuration files and then receive a JMX connection from the victim, and serve a Java object that results in deserialization and code execution. | |||||
CVE-2018-12022 | 5 Debian, Fasterxml, Fedoraproject and 2 more | 11 Debian Linux, Jackson-databind, Fedora and 8 more | 2023-12-10 | 5.1 MEDIUM | 7.5 HIGH |
An issue was discovered in FasterXML jackson-databind prior to 2.7.9.4, 2.8.11.2, and 2.9.6. When Default Typing is enabled (either globally or for a specific property), the service has the Jodd-db jar (for database access for the Jodd framework) in the classpath, and an attacker can provide an LDAP service to access, it is possible to make the service execute a malicious payload. | |||||
CVE-2018-20987 | 1 Tribulant | 1 Newsletters | 2023-12-10 | 7.5 HIGH | 9.8 CRITICAL |
The newsletters-lite plugin before 4.6.8.6 for WordPress has PHP object injection. | |||||
CVE-2019-11030 | 1 Mirasys | 1 Mirasys Vms | 2023-12-10 | 10.0 HIGH | 9.8 CRITICAL |
Mirasys VMS before V7.6.1 and 8.x before V8.3.2 mishandles the Mirasys.Common.Utils.Security.DataCrypt method in Common.dll in AuditTrailService in SMServer.exe. This method triggers insecure deserialization within the .NET garbage collector, in which a gadget (contained in a serialized object) may be executed with SYSTEM privileges. The attacker must properly encrypt the object; however, the hardcoded keys are available. | |||||
CVE-2019-0187 | 1 Apache | 1 Jmeter | 2023-12-10 | 7.5 HIGH | 9.8 CRITICAL |
Unauthenticated RCE is possible when JMeter is used in distributed mode (-r or -R command line options). Attacker can establish a RMI connection to a jmeter-server using RemoteJMeterEngine and proceed with an attack using untrusted data deserialization. This only affect tests running in Distributed mode. Note that versions before 4.0 are not able to encrypt traffic between the nodes, nor authenticate the participating nodes so upgrade to JMeter 5.1 is also advised. | |||||
CVE-2019-10135 | 1 Osbs-client Project | 1 Osbs-client | 2023-12-10 | 6.5 MEDIUM | 7.2 HIGH |
A flaw was found in the yaml.load() function in the osbs-client versions since 0.46 before 0.56.1. Insecure use of the yaml.load() function allowed the user to load any suspicious object for code execution via the parsing of malicious YAML files. | |||||
CVE-2019-6980 | 1 Synacor | 1 Zimbra Collaboration Suite | 2023-12-10 | 7.5 HIGH | 9.8 CRITICAL |
Synacor Zimbra Collaboration Suite 8.7.x through 8.8.11 allows insecure object deserialization in the IMAP component. | |||||
CVE-2019-9875 | 1 Sitecore | 1 Cms | 2023-12-10 | 6.5 MEDIUM | 8.8 HIGH |
Deserialization of Untrusted Data in the anti CSRF module in Sitecore through 9.1 allows an authenticated attacker to execute arbitrary code by sending a serialized .NET object in an HTTP POST parameter. | |||||
CVE-2018-12679 | 1 Coapthon3 Project | 1 Coapthon3 | 2023-12-10 | 5.0 MEDIUM | 7.5 HIGH |
The Serialize.deserialize() method in CoAPthon3 1.0 and 1.0.1 mishandles certain exceptions, leading to a denial of service in applications that use this library (e.g., the standard CoAP server, CoAP client, example collect CoAP server and client) when they receive crafted CoAP messages. | |||||
CVE-2016-10750 | 1 Hazelcast | 1 Hazelcast | 2023-12-10 | 6.8 MEDIUM | 8.1 HIGH |
In Hazelcast before 3.11, the cluster join procedure is vulnerable to remote code execution via Java deserialization. If an attacker can reach a listening Hazelcast instance with a crafted JoinRequest, and vulnerable classes exist in the classpath, the attacker can run arbitrary code. | |||||
CVE-2019-12747 | 1 Typo3 | 1 Typo3 | 2023-12-10 | 6.5 MEDIUM | 8.8 HIGH |
TYPO3 8.x through 8.7.26 and 9.x through 9.5.7 allows Deserialization of Untrusted Data. | |||||
CVE-2019-10924 | 1 Siemens | 1 Logo\! Soft Comfort | 2023-12-10 | 6.8 MEDIUM | 7.8 HIGH |
A vulnerability has been identified in LOGO! Soft Comfort (All versions < V8.3). The vulnerability could allow an attacker to execute arbitrary code if the attacker tricks a legitimate user to open a manipulated project. In order to exploit the vulnerability, a valid user must open a manipulated project file. No further privileges are required on the target system. The vulnerability could compromise the confidentiality, integrity and availability of the engineering station. At the time of advisory publication no public exploitation of this security vulnerability was known. | |||||
CVE-2019-7091 | 1 Adobe | 1 Coldfusion | 2023-12-10 | 10.0 HIGH | 9.8 CRITICAL |
ColdFusion versions Update 1 and earlier, Update 7 and earlier, and Update 15 and earlier have a deserialization of untrusted data vulnerability. Successful exploitation could lead to arbitrary code execution. | |||||
CVE-2019-14540 | 6 Debian, Fasterxml, Fedoraproject and 3 more | 20 Debian Linux, Jackson-databind, Fedora and 17 more | 2023-12-10 | 7.5 HIGH | 9.8 CRITICAL |
A Polymorphic Typing issue was discovered in FasterXML jackson-databind before 2.9.10. It is related to com.zaxxer.hikari.HikariConfig. | |||||
CVE-2019-11666 | 1 Microfocus | 1 Service Manager | 2023-12-10 | 6.8 MEDIUM | 8.8 HIGH |
Insecure deserialization of untrusted data in Micro Focus Service Manager product versions 9.30, 9.31, 9.32, 9.33, 9.34, 9.35, 9.40, 9.41, 9.50, 9.51, 9.52, 9.60, 9.61, 9.62. The vulnerability could be exploited to allow insecure deserialization of untrusted data. | |||||
CVE-2019-15320 | 1 Optiontree Project | 1 Optiontree | 2023-12-10 | 7.5 HIGH | 9.8 CRITICAL |
The option-tree plugin before 2.7.3 for WordPress has Object Injection because the + character is mishandled. |