Total
1235 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2022-45845 | 1 Nextendweb | 1 Smart Slider 3 | 2024-01-25 | N/A | 8.8 HIGH |
| Deserialization of Untrusted Data vulnerability in Nextend Smart Slider 3.This issue affects Smart Slider 3: from n/a through 3.5.1.9. | |||||
| CVE-2022-45083 | 1 Properfraction | 1 Profilepress | 2024-01-25 | N/A | 7.2 HIGH |
| Deserialization of Untrusted Data vulnerability in ProfilePress Membership Team Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – ProfilePress.This issue affects Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – ProfilePress: from n/a through 4.3.2. | |||||
| CVE-2003-0791 | 2 Mozilla, Sco | 2 Mozilla, Openserver | 2024-01-25 | 7.5 HIGH | 9.8 CRITICAL |
| The Script.prototype.freeze/thaw functionality in Mozilla 1.4 and earlier allows attackers to execute native methods by modifying the string used as input to the script.thaw JavaScript function, which is then deserialized and executed. | |||||
| CVE-2012-4406 | 3 Fedoraproject, Openstack, Redhat | 7 Fedora, Swift, Enterprise Linux Server and 4 more | 2024-01-25 | 7.5 HIGH | 9.8 CRITICAL |
| OpenStack Object Storage (swift) before 1.7.0 uses the loads function in the pickle Python module unsafely when storing and loading metadata in memcached, which allows remote attackers to execute arbitrary code via a crafted pickle object. | |||||
| CVE-2023-1405 | 1 Strategy11 | 1 Formidable Forms | 2024-01-23 | N/A | 7.5 HIGH |
| The Formidable Forms WordPress plugin before 6.2 unserializes user input, which could allow anonymous users to perform PHP Object Injection when a suitable gadget is present. | |||||
| CVE-2019-17570 | 5 Apache, Canonical, Debian and 2 more | 6 Xml-rpc, Ubuntu Linux, Debian Linux and 3 more | 2024-01-22 | 7.5 HIGH | 9.8 CRITICAL |
| An untrusted deserialization was found in the org.apache.xmlrpc.parser.XmlRpcResponseParser:addResult method of Apache XML-RPC (aka ws-xmlrpc) library. A malicious XML-RPC server could target a XML-RPC client causing it to execute arbitrary code. Apache XML-RPC is no longer maintained and this issue will not be fixed. | |||||
| CVE-2016-5003 | 1 Apache | 1 Ws-xmlrpc | 2024-01-22 | 7.5 HIGH | 9.8 CRITICAL |
| The Apache XML-RPC (aka ws-xmlrpc) library 3.1.3, as used in Apache Archiva, allows remote attackers to execute arbitrary code via a crafted serialized Java object in an <ex:serializable> element. | |||||
| CVE-2011-2520 | 2 Fedoraproject, Redhat | 2 Fedora, System-config-firewall | 2024-01-21 | 6.0 MEDIUM | 7.8 HIGH |
| fw_dbus.py in system-config-firewall 1.2.29 and earlier uses the pickle Python module unsafely during D-Bus communication between the GUI and the backend, which might allow local users to gain privileges via a crafted serialized object. | |||||
| CVE-2012-0911 | 1 Tiki | 1 Tikiwiki Cms\/groupware | 2024-01-21 | 7.5 HIGH | 9.8 CRITICAL |
| TikiWiki CMS/Groupware before 6.7 LTS and before 8.4 allows remote attackers to execute arbitrary PHP code via a crafted serialized object in the (1) cookieName to lib/banners/bannerlib.php; (2) printpages or (3) printstructures parameter to (a) tiki-print_multi_pages.php or (b) tiki-print_pages.php; or (4) sendpages, (5) sendstructures, or (6) sendarticles parameter to tiki-send_objects.php, which is not properly handled when processed by the unserialize function. | |||||
| CVE-2012-3527 | 2 Debian, Typo3 | 2 Debian Linux, Typo3 | 2024-01-21 | 4.6 MEDIUM | N/A |
| view_help.php in the backend help system in TYPO3 4.5.x before 4.5.19, 4.6.x before 4.6.12 and 4.7.x before 4.7.4 allows remote authenticated backend users to unserialize arbitrary objects and possibly execute arbitrary PHP code via an unspecified parameter, related to a "missing signature (HMAC)." | |||||
| CVE-2023-6049 | 1 Estatik | 1 Estatik | 2024-01-19 | N/A | 9.8 CRITICAL |
| The Estatik Real Estate Plugin WordPress plugin before 4.1.1 unserializes user input via some of its cookies, which could allow unauthenticated users to perform PHP Object Injection when a suitable gadget chain is present on the blog | |||||
| CVE-2018-15133 | 1 Laravel | 1 Laravel | 2024-01-17 | 6.8 MEDIUM | 8.1 HIGH |
| In Laravel Framework through 5.5.40 and 5.6.x through 5.6.29, remote code execution might occur as a result of an unserialize call on a potentially untrusted X-XSRF-TOKEN value. This involves the decrypt method in Illuminate/Encryption/Encrypter.php and PendingBroadcast in gadgetchains/Laravel/RCE/3/chain.php in phpggc. The attacker must know the application key, which normally would never occur, but could happen if the attacker previously had privileged access or successfully accomplished a previous attack. | |||||
| CVE-2023-7032 | 1 Schneider-electric | 1 Easergy Studio | 2024-01-16 | N/A | 7.8 HIGH |
| A CWE-502: Deserialization of untrusted data vulnerability exists that could allow an attacker logged in with a user level account to gain higher privileges by providing a harmful serialized object. | |||||
| CVE-2023-32636 | 1 Gnome | 1 Glib | 2024-01-12 | N/A | 7.5 HIGH |
| A flaw was found in glib, where the gvariant deserialization code is vulnerable to a denial of service introduced by additional input validation added to resolve CVE-2023-29499. The offset table validation may be very slow. This bug does not affect any released version of glib but does affect glib distributors who followed the guidance of glib developers to backport the initial fix for CVE-2023-29499. | |||||
| CVE-2023-26436 | 1 Open-xchange | 1 Open-xchange Appsuite Backend | 2024-01-12 | N/A | 8.8 HIGH |
| Attackers with access to the "documentconverterws" API were able to inject serialized Java objects, that were not properly checked during deserialization. Access to this API endpoint is restricted to local networks by default. Arbitrary code could be injected that is being executed when processing the request. A check has been introduced to restrict processing of legal and expected classes for this API. We now log a warning in case there are attempts to inject illegal classes. No publicly available exploits are known. | |||||
| CVE-2023-52202 | 1 Svnlabs | 1 Html5 Mp3 Player With Folder Feedburner Playlist Free | 2024-01-11 | N/A | 7.2 HIGH |
| Deserialization of Untrusted Data vulnerability in SVNLabs Softwares HTML5 MP3 Player with Folder Feedburner Playlist Free.This issue affects HTML5 MP3 Player with Folder Feedburner Playlist Free: from n/a through 2.8.0. | |||||
| CVE-2023-6528 | 1 Themepunch | 1 Slider Revolution | 2024-01-11 | N/A | 8.8 HIGH |
| The Slider Revolution WordPress plugin before 6.6.19 does not prevent users with at least the Author role from unserializing arbitrary content when importing sliders, potentially leading to Remote Code Execution. | |||||
| CVE-2023-52206 | 1 Blueastral | 1 Page Builder\ | 2024-01-11 | N/A | 7.2 HIGH |
| Deserialization of Untrusted Data vulnerability in Live Composer Team Page Builder: Live Composer live-composer-page-builder.This issue affects Page Builder: Live Composer: from n/a through 1.5.25. | |||||
| CVE-2023-52205 | 1 Svnlabs | 1 Html5 Soundcloud Player With Playlist Free | 2024-01-11 | N/A | 7.2 HIGH |
| Deserialization of Untrusted Data vulnerability in SVNLabs Softwares HTML5 SoundCloud Player with Playlist Free.This issue affects HTML5 SoundCloud Player with Playlist Free: from n/a through 2.8.0. | |||||
| CVE-2023-52200 | 1 Reputeinfosystems | 1 Armember | 2024-01-11 | N/A | 9.8 CRITICAL |
| Cross-Site Request Forgery (CSRF), Deserialization of Untrusted Data vulnerability in Repute Infosystems ARMember – Membership Plugin, Content Restriction, Member Levels, User Profile & User signup.This issue affects ARMember – Membership Plugin, Content Restriction, Member Levels, User Profile & User signup: n/a. | |||||