Total
1329 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2020-10189 | 1 Zohocorp | 1 Manageengine Desktop Central | 2022-10-07 | 9.8 Critical |
| Zoho ManageEngine Desktop Central before 10.0.474 allows remote code execution because of deserialization of untrusted data in getChartImage in the FileStorage class. This is related to the CewolfServlet and MDMLogUploaderServlet servlets. | ||||
| CVE-2020-11973 | 2 Apache, Oracle | 4 Camel, Communications Diameter Signaling Router, Enterprise Manager Base Platform and 1 more | 2022-10-05 | 9.8 Critical |
| Apache Camel Netty enables Java deserialization by default. Apache Camel 2.22.x, 2.23.x, 2.24.x, 2.25.0, 3.0.0 up to 3.1.0 are affected. 2.x users should upgrade to 2.25.1, 3.x users should upgrade to 3.2.0. | ||||
| CVE-2019-10173 | 2 Oracle, Xstream Project | 10 Banking Platform, Business Activity Monitoring, Communications Billing And Revenue Management Elastic Charging Engine and 7 more | 2022-10-05 | 9.8 Critical |
| It was found that xstream API version 1.4.10 before 1.4.11 introduced a regression for a previous deserialization flaw. If the security framework has not been initialized, it may allow a remote attacker to run arbitrary shell commands when unmarshalling XML or any supported format. e.g. JSON. (regression of CVE-2013-7285) | ||||
| CVE-2021-4178 | 1 Redhat | 9 A-mq Streams, Build Of Quarkus, Descision Manager and 6 more | 2022-10-04 | 6.7 Medium |
| A arbitrary code execution flaw was found in the Fabric 8 Kubernetes client affecting versions 5.0.0-beta-1 and above. Due to an improperly configured YAML parsing, this will allow a local and privileged attacker to supply malicious YAML. | ||||
| CVE-2017-14035 | 1 Crushftp | 1 Crushftp | 2022-10-03 | N/A |
| CrushFTP 8.x before 8.2.0 has a serialization vulnerability. | ||||
| CVE-2017-1000195 | 1 Octobercms | 1 October | 2022-10-03 | N/A |
| October CMS build 412 is vulnerable to PHP object injection in asset move functionality resulting in ability to delete files limited by file permissions on the server. | ||||
| CVE-2017-1000248 | 1 Redis-store | 1 Redis-store | 2022-10-03 | N/A |
| Redis-store <=v1.3.0 allows unsafe objects to be loaded from redis | ||||
| CVE-2018-1999042 | 1 Jenkins | 1 Jenkins | 2022-10-03 | N/A |
| A vulnerability exists in Jenkins 2.137 and earlier, 2.121.2 and earlier in XStream2.java that allows attackers to have Jenkins resolve a domain name when deserializing an instance of java.net.URL. | ||||
| CVE-2018-10085 | 1 Cmsmadesimple | 1 Cms Made Simple | 2022-10-03 | N/A |
| CMS Made Simple (CMSMS) through 2.2.6 allows PHP object injection because of an unserialize call in the _get_data function of \lib\classes\internal\class.LoginOperations.php. By sending a crafted cookie, a remote attacker can upload and execute code, or delete files. | ||||
| CVE-2018-18240 | 1 Pippo | 1 Pippo | 2022-10-03 | N/A |
| Pippo through 1.11.0 allows remote code execution via a command to java.lang.ProcessBuilder because the XstreamEngine component does not use XStream's available protection mechanisms to restrict unmarshalling. | ||||
| CVE-2018-18628 | 1 Pippo | 1 Pippo | 2022-10-03 | N/A |
| An issue was discovered in Pippo 1.11.0. The function SerializationSessionDataTranscoder.decode() calls ObjectInputStream.readObject() to deserialize a SessionData object without checking the object types. An attacker can create a malicious object, base64 encode it, and place it in the PIPPO_SESSION field of a cookie. Sending this cookie may lead to remote code execution. | ||||
| CVE-2018-1000641 | 1 Yeswiki | 1 Yeswiki | 2022-10-03 | N/A |
| YesWiki version <= cercopitheque beta 1 contains a PHP Object Injection vulnerability in Unserialising user entered parameter in i18n.inc.php that can result in execution of code, disclosure of information. | ||||
| CVE-2018-1000833 | 1 Zoneminder | 1 Zoneminder | 2022-10-03 | N/A |
| ZoneMinder version <= 1.32.2 contains a Other/Unknown vulnerability in User-controlled parameter that can result in Disclosure of confidential data, denial of service, SSRF, remote code execution. | ||||
| CVE-2018-1000827 | 1 Ubilling | 1 Ubilling | 2022-10-03 | N/A |
| Ubilling version <= 0.9.2 contains a Other/Unknown vulnerability in user-controlled parameter that can result in Disclosure of confidential data, denial of service, SSRF, remote code execution. | ||||
| CVE-2018-1000824 | 1 Megamek | 1 Megamek | 2022-10-03 | N/A |
| MegaMek version < v0.45.1 contains a Other/Unknown vulnerability in Object Stream Connection that can result in Disclosure of confidential data, denial of service, SSRF, remote code execution. | ||||
| CVE-2018-1000210 | 1 Yamldotnet Project | 1 Yamldotnet | 2022-10-03 | N/A |
| YamlDotNet version 4.3.2 and earlier contains a Insecure Direct Object Reference vulnerability in The default behavior of Deserializer.Deserialize() will deserialize user-controlled types in the line "currentType = Type.GetType(nodeEvent.Tag.Substring(1), throwOnError: false);" and blindly instantiates them. that can result in Code execution in the context of the running process. This attack appear to be exploitable via Victim must parse a specially-crafted YAML file. This vulnerability appears to have been fixed in 5.0.0. | ||||
| CVE-2018-1000059 | 1 Validformbuilder | 1 Validform Builder | 2022-10-03 | N/A |
| ValidFormBuilder version 4.5.4 contains a PHP Object Injection vulnerability in Valid Form unserialize method that can result in Possible to execute unauthorised system commands remotely and disclose file contents in file system. | ||||
| CVE-2018-1000832 | 1 Zoneminder | 1 Zoneminder | 2022-10-03 | N/A |
| ZoneMinder version <= 1.32.2 contains a Other/Unknown vulnerability in User-controlled parameter that can result in Disclosure of confidential data, denial of service, SSRF, remote code execution. | ||||
| CVE-2018-7889 | 1 Calibre-ebook | 1 Calibre | 2022-10-03 | N/A |
| gui2/viewer/bookmarkmanager.py in Calibre 3.18 calls cPickle.load on imported bookmark data, which allows remote attackers to execute arbitrary code via a crafted .pickle file, as demonstrated by Python code that contains an os.system call. | ||||
| CVE-2019-6503 | 1 Chatopera | 1 Cosin | 2022-10-03 | N/A |
| There is a deserialization vulnerability in Chatopera cosin v3.10.0. An attacker can execute commands during server-side deserialization by uploading maliciously constructed files. This is related to the TemplateController.java impsave method and the MainUtils toObject method. | ||||