Total
934 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2021-29505 | 5 Debian, Fedoraproject, Netapp and 2 more | 16 Debian Linux, Fedora, Snapmanager and 13 more | 2022-07-25 | 6.5 MEDIUM | 8.8 HIGH |
| XStream is software for serializing Java objects to XML and back again. A vulnerability in XStream versions prior to 1.4.17 may allow a remote attacker has sufficient rights to execute commands of the host only by manipulating the processed input stream. No user who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types is affected. The vulnerability is patched in version 1.4.17. | |||||
| CVE-2022-2437 | 1 Slickremix | 1 Feed Them Social | 2022-07-25 | N/A | 9.8 CRITICAL |
| The Feed Them Social – for Twitter feed, Youtube and more plugin for WordPress is vulnerable to deserialization of untrusted input via the 'fts_url' parameter in versions up to, and including 2.9.8.5. This makes it possible for unauthenticated attackers to call files using a PHAR wrapper that will deserialize the data and call arbitrary PHP Objects that can be used to perform a variety of malicious actions granted a POP chain is also present. It also requires that the attacker is successful in uploading a file with the serialized payload. | |||||
| CVE-2022-2444 | 1 Themeisle | 1 Visualizer | 2022-07-25 | N/A | 8.8 HIGH |
| The Visualizer: Tables and Charts Manager for WordPress plugin for WordPress is vulnerable to deserialization of untrusted input via the 'remote_data' parameter in versions up to, and including 3.7.9. This makes it possible for authenticated attackers with contributor privileges and above to call files using a PHAR wrapper that will deserialize the data and call arbitrary PHP Objects that can be used to perform a variety of malicious actions granted a POP chain is also present. It also requires that the attacker is successful in uploading a file with the serialized payload. | |||||
| CVE-2022-31115 | 1 Amazon | 1 Opensearch | 2022-07-25 | 6.8 MEDIUM | 8.8 HIGH |
| opensearch-ruby is a community-driven, open source fork of elasticsearch-ruby. In versions prior to 2.0.1 the ruby `YAML.load` function was used instead of `YAML.safe_load`. As a result opensearch-ruby 2.0.0 and prior can lead to unsafe deserialization using YAML.load if the response is of type YAML. An attacker must be in control of an opensearch server and convince the victim to connect to it in order to exploit this vulnerability. The problem has been patched in opensearch-ruby gem version 2.0.1. Users are advised to upgrade. There are no known workarounds for this issue. | |||||
| CVE-2022-30981 | 1 Gentics | 1 Gentics Cms | 2022-07-21 | N/A | 8.8 HIGH |
| An issue was discovered in Gentics CMS before 5.43.1. By uploading a malicious ZIP file, an attacker is able to deserialize arbitrary data and hence can potentially achieve Java code execution. | |||||
| CVE-2022-35857 | 1 Kvf-admin Project | 1 Kvf-admin | 2022-07-21 | N/A | 9.8 CRITICAL |
| kvf-admin through 2022-02-12 allows remote attackers to execute arbitrary code because deserialization is mishandled. The rememberMe parameter is encrypted with a hardcoded key from the com.kalvin.kvf.common.shiro.ShiroConfig file. | |||||
| CVE-2021-36665 | 1 Druva | 1 Insync Client | 2022-07-20 | 7.2 HIGH | 7.8 HIGH |
| An issue was discovered in Druva 6.9.0 for macOS, allows attackers to gain escalated local privileges via the inSyncUpgradeDaemon. | |||||
| CVE-2011-2894 | 1 Vmware | 2 Spring Framework, Spring Security | 2022-07-17 | 6.8 MEDIUM | N/A |
| Spring Framework 3.0.0 through 3.0.5, Spring Security 3.0.0 through 3.0.5 and 2.0.0 through 2.0.6, and possibly other versions deserialize objects from untrusted sources, which allows remote attackers to bypass intended security restrictions and execute untrusted code by (1) serializing a java.lang.Proxy instance and using InvocationHandler, or (2) accessing internal AOP interfaces, as demonstrated using deserialization of a DefaultListableBeanFactory instance to execute arbitrary commands via the java.lang.Runtime class. | |||||
| CVE-2022-31604 | 1 Nvidia | 1 Nvflare | 2022-07-13 | 7.5 HIGH | 9.8 CRITICAL |
| NVFLARE, versions prior to 2.1.2, contains a vulnerability in its PKI implementation module, where The CA credentials are transported via pickle and no safe deserialization. The deserialization of Untrusted Data may allow an unprivileged network attacker to cause Remote Code Execution, Denial Of Service, and Impact to both Confidentiality and Integrity. | |||||
| CVE-2022-31605 | 1 Nvidia | 1 Nvflare | 2022-07-13 | 7.5 HIGH | 9.8 CRITICAL |
| NVFLARE, versions prior to 2.1.2, contains a vulnerability in its utils module, where YAML files are loaded via yaml.load() instead of yaml.safe_load(). The deserialization of Untrusted Data, may allow an unprivileged network attacker to cause Remote Code Execution, Denial Of Service, and Impact to both Confidentiality and Integrity. | |||||
| CVE-2021-45394 | 1 Html2pdf Project | 1 Html2pdf | 2022-07-12 | 6.8 MEDIUM | 8.8 HIGH |
| An issue was discovered in Spipu HTML2PDF before 5.2.4. Attackers can trigger deserialization of arbitrary data via the injection of a malicious <link> tag in the converted HTML document. | |||||
| CVE-2021-26857 | 1 Microsoft | 1 Exchange Server | 2022-07-12 | 6.8 MEDIUM | 7.8 HIGH |
| Microsoft Exchange Server Remote Code Execution Vulnerability This CVE ID is unique from CVE-2021-26412, CVE-2021-26854, CVE-2021-26855, CVE-2021-26858, CVE-2021-27065, CVE-2021-27078. | |||||
| CVE-2020-17144 | 1 Microsoft | 1 Exchange Server | 2022-07-12 | 6.0 MEDIUM | 8.4 HIGH |
| Microsoft Exchange Remote Code Execution Vulnerability This CVE ID is unique from CVE-2020-17117, CVE-2020-17132, CVE-2020-17141, CVE-2020-17142. | |||||
| CVE-2022-33107 | 1 Thinkphp | 1 Thinkphp | 2022-07-07 | 7.5 HIGH | 9.8 CRITICAL |
| ThinkPHP v6.0.12 was discovered to contain a deserialization vulnerability via the component vendor\league\flysystem-cached-adapter\src\Storage\AbstractCache.php. This vulnerability allows attackers to execute arbitrary code via a crafted payload. | |||||
| CVE-2020-25258 | 1 Hyland | 1 Onbase | 2022-06-30 | 7.5 HIGH | 9.8 CRITICAL |
| An issue was discovered in Hyland OnBase 16.0.2.83 and below, 17.0.2.109 and below, 18.0.0.37 and below, 19.8.16.1000 and below and 20.3.10.1000 and below. It uses ASP.NET BinaryFormatter.Deserialize in a manner that allows attackers to transmit and execute bytecode in SOAP messages. | |||||
| CVE-2020-25260 | 1 Hyland | 1 Onbase | 2022-06-30 | 7.5 HIGH | 9.8 CRITICAL |
| An issue was discovered in Hyland OnBase 16.0.2.83 and below, 17.0.2.109 and below, 18.0.0.37 and below, 19.8.16.1000 and below and 20.3.10.1000 and below. It allows remote attackers to execute arbitrary code because of unsafe JSON deserialization. | |||||
| CVE-2020-25259 | 1 Hyland | 1 Onbase | 2022-06-30 | 7.5 HIGH | 9.8 CRITICAL |
| An issue was discovered in Hyland OnBase 16.0.2.83 and below, 17.0.2.109 and below, 18.0.0.37 and below, 19.8.16.1000 and below and 20.3.10.1000 and below. It uses XML deserialization libraries in an unsafe manner. | |||||
| CVE-2020-4280 | 2 Ibm, Linux | 2 Qradar Security Information And Event Manager, Linux Kernel | 2022-06-29 | 9.0 HIGH | 8.8 HIGH |
| IBM QRadar SIEM 7.3 and 7.4 could allow a remote attacker to execute arbitrary commands on the system, caused by insecure deserialization of user-supplied content by the Java deserialization function. By sending a malicious serialized Java object, an attacker could exploit this vulnerability to execute arbitrary commands on the system. IBM X-Force ID: 176140. | |||||
| CVE-2020-28032 | 3 Debian, Fedoraproject, Wordpress | 3 Debian Linux, Fedora, Wordpress | 2022-06-29 | 7.5 HIGH | 9.8 CRITICAL |
| WordPress before 5.5.2 mishandles deserialization requests in wp-includes/Requests/Utility/FilteredIterator.php. | |||||
| CVE-2019-5069 | 1 Epignosishq | 1 Efront Lms | 2022-06-27 | 6.5 MEDIUM | 8.8 HIGH |
| A code execution vulnerability exists in Epignosis eFront LMS v5.2.12. A specially crafted web request can cause unsafe deserialization potentially resulting in PHP code being executed. An attacker can send a crafted web parameter to trigger this vulnerability. | |||||