Total
1329 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2022-41596 | 1 Huawei | 2 Emui, Harmonyos | 2022-12-24 | 7.5 High |
| The system tool has inconsistent serialization and deserialization. Successful exploitation of this vulnerability will cause unauthorized startup of components. | ||||
| CVE-2022-44542 | 1 Lesspipe Project | 1 Lesspipe | 2022-12-22 | 9.8 Critical |
| lesspipe before 2.06 allows attackers to execute code via Perl Storable (pst) files, because of deserialized object destructor execution via a key/value pair in a hash. | ||||
| CVE-2021-38241 | 1 Ruoyi | 1 Ruoyi | 2022-12-21 | 9.8 Critical |
| Deserialization issue discovered in Ruoyi before 4.6.1 allows remote attackers to run arbitrary code via weak cipher in Shiro framework. | ||||
| CVE-2022-40955 | 1 Apache | 1 Inlong | 2022-12-21 | 8.8 High |
| In versions of Apache InLong prior to 1.3.0, an attacker with sufficient privileges to specify MySQL JDBC connection URL parameters and to write arbitrary data to the MySQL database, could cause this data to be deserialized by Apache InLong, potentially leading to Remote Code Execution on the Apache InLong server. Users are advised to upgrade to Apache InLong 1.3.0 or newer. | ||||
| CVE-2021-33420 | 1 Replicator Project | 1 Replicator | 2022-12-20 | 9.8 Critical |
| A deserialization issue discovered in inikulin replicator before 1.0.4 allows remote attackers to run arbitrary code via the fromSerializable function in TypedArray object. | ||||
| CVE-2016-9045 | 1 Processmaker | 1 Processmaker | 2022-12-14 | 8.8 High |
| A code execution vulnerability exists in ProcessMaker Enterprise Core 3.0.1.7-community. A specially crafted web request can cause unsafe deserialization potentially resulting in PHP code being executed. An attacker can send a crafted web parameter to trigger this vulnerability. | ||||
| CVE-2021-42550 | 4 Netapp, Qos, Redhat and 1 more | 6 Cloud Manager, Service Level Manager, Snap Creator Framework and 3 more | 2022-12-12 | 6.6 Medium |
| In logback version 1.2.7 and prior versions, an attacker with the required privileges to edit configurations files could craft a malicious configuration allowing to execute arbitrary code loaded from LDAP servers. | ||||
| CVE-2022-44351 | 1 Skycaiji | 1 Skycaiji | 2022-12-10 | 9.8 Critical |
| Skycaiji v2.5.1 was discovered to contain a deserialization vulnerability via /SkycaijiApp/admin/controller/Mystore.php. | ||||
| CVE-2022-44371 | 1 Hope-boot Project | 1 Hope-boot | 2022-12-09 | 9.8 Critical |
| hope-boot 1.0.0 has a deserialization vulnerability that can cause Remote Code Execution (RCE). | ||||
| CVE-2022-32224 | 1 Activerecord Project | 1 Activerecord | 2022-12-08 | 9.8 Critical |
| A possible escalation to RCE vulnerability exists when using YAML serialized columns in Active Record < 7.0.3.1, <6.1.6.1, <6.0.5.1 and <5.2.8.1 which could allow an attacker, that can manipulate data in the database (via means like SQL injection), the ability to escalate to an RCE. | ||||
| CVE-2022-3357 | 1 Nextendweb | 1 Smart Slider 3 | 2022-12-07 | 8.8 High |
| The Smart Slider 3 WordPress plugin before 3.5.1.11 unserialises the content of an imported file, which could lead to PHP object injection issues when a user import (intentionally or not) a malicious file, and a suitable gadget chain is present on the site. | ||||
| CVE-2019-9061 | 1 Cmsmadesimple | 1 Cms Made Simple | 2022-12-02 | 8.8 High |
| An issue was discovered in CMS Made Simple 2.2.8. In the module ModuleManager (in the file action.installmodule.php), it is possible to reach an unserialize call with untrusted input and achieve authenticated object injection by using the "install module" feature. | ||||
| CVE-2019-9057 | 1 Cmsmadesimple | 1 Cms Made Simple | 2022-12-02 | 8.8 High |
| An issue was discovered in CMS Made Simple 2.2.8. In the module FilePicker, it is possible to reach an unserialize call with an untrusted parameter, and achieve authenticated object injection. | ||||
| CVE-2018-19274 | 2 Debian, Phpbb | 2 Debian Linux, Phpbb | 2022-12-02 | 7.2 High |
| Passing an absolute path to a file_exists check in phpBB before 3.2.4 allows Remote Code Execution through Object Injection by employing Phar deserialization when an attacker has access to the Admin Control Panel with founder permissions. | ||||
| CVE-2022-42004 | 4 Debian, Fasterxml, Netapp and 1 more | 4 Debian Linux, Jackson-databind, Oncommand Workflow Automation and 1 more | 2022-12-02 | 7.5 High |
| In FasterXML jackson-databind before 2.13.4, resource exhaustion can occur because of a lack of a check in BeanDeserializer._deserializeFromArray to prevent use of deeply nested arrays. An application is vulnerable only with certain customized choices for deserialization. | ||||
| CVE-2022-36964 | 1 Solarwinds | 1 Orion Platform | 2022-12-01 | 8.8 High |
| SolarWinds Platform was susceptible to the Deserialization of Untrusted Data. This vulnerability allows a remote adversary with valid access to SolarWinds Web Console to execute arbitrary commands. | ||||
| CVE-2022-41958 | 1 Super Xray Project | 1 Super Xray | 2022-11-30 | 7.8 High |
| super-xray is a web vulnerability scanning tool. Versions prior to 0.7 assumed trusted input for the program config which is stored in a yaml file. An attacker with local access to the file could exploit this and compromise the program. This issue has been addressed in commit `4d0d5966` and will be included in future releases. Users are advised to upgrade. There are no known workarounds for this issue. | ||||
| CVE-2022-41875 | 1 Airbnb | 1 Optica | 2022-11-30 | 9.8 Critical |
| A remote code execution (RCE) vulnerability in Optica allows unauthenticated attackers to execute arbitrary code via specially crafted JSON payloads. Specially crafted JSON payloads may lead to RCE (remote code execution) on the attacked system running Optica. The vulnerability was patched in v. 0.10.2, where the call to the function `oj.load` was changed to `oj.safe_load`. | ||||
| CVE-2022-41922 | 1 Yiiframework | 1 Yii | 2022-11-30 | 9.8 Critical |
| `yiisoft/yii` before version 1.1.27 are vulnerable to Remote Code Execution (RCE) if the application calls `unserialize()` on arbitrary user input. This has been patched in 1.1.27. | ||||
| CVE-2022-25647 | 4 Debian, Google, Netapp and 1 more | 6 Debian Linux, Gson, Active Iq Unified Manager and 3 more | 2022-11-28 | 7.5 High |
| The package com.google.code.gson:gson before 2.8.9 are vulnerable to Deserialization of Untrusted Data via the writeReplace() method in internal classes, which may lead to DoS attacks. | ||||