Total
934 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2017-5878 | 1 Red5 | 1 Media Server | 2020-08-05 | 7.5 HIGH | 9.8 CRITICAL |
| The AMF unmarshallers in Red5 Media Server before 1.0.8 do not restrict the classes for which it performs deserialization, which allows remote attackers to execute arbitrary code via crafted serialized Java data. | |||||
| CVE-2010-3258 | 1 Google | 1 Chrome | 2020-08-04 | 9.3 HIGH | N/A |
| The sandbox implementation in Google Chrome before 6.0.472.53 does not properly deserialize parameters, which has unspecified impact and remote attack vectors. | |||||
| CVE-2017-1000195 | 1 Octobercms | 1 October | 2020-08-03 | 6.4 MEDIUM | 7.5 HIGH |
| October CMS build 412 is vulnerable to PHP object injection in asset move functionality resulting in ability to delete files limited by file permissions on the server. | |||||
| CVE-2010-4574 | 2 Google, Linux | 3 Chrome, Chrome Os, Linux Kernel | 2020-07-31 | 7.5 HIGH | N/A |
| The Pickle::Pickle function in base/pickle.cc in Google Chrome before 8.0.552.224 and Chrome OS before 8.0.552.343 on 64-bit Linux platforms does not properly perform pointer arithmetic, which allows remote attackers to bypass message deserialization validation, and cause a denial of service or possibly have unspecified other impact, via invalid pickle data. | |||||
| CVE-2017-14702 | 1 Branaghgroup | 1 Ers Data System | 2020-07-29 | 7.5 HIGH | 9.8 CRITICAL |
| ERS Data System 1.8.1.0 allows remote attackers to execute arbitrary code, related to "com.branaghgroup.ecers.update.UpdateRequest" object deserialization. | |||||
| CVE-2020-12007 | 2 Iconics, Mitsubishielectric | 11 Bizviz, Energy Analytix, Facility Analytix and 8 more | 2020-07-29 | 7.5 HIGH | 9.8 CRITICAL |
| A specially crafted communication packet sent to the affected devices could allow remote code execution and a denial-of-service condition due to a deserialization vulnerability. This issue affects: Mitsubishi Electric MC Works64 version 4.02C (10.95.208.31) and earlier, all versions; Mitsubishi Electric MC Works32 version 3.00A (9.50.255.02); ICONICS GenBroker64, Platform Services, Workbench, FrameWorX Server version 10.96 and prior; ICONICS GenBroker32 version 9.5 and prior. | |||||
| CVE-2020-12009 | 2 Iconics, Mitsubishielectric | 11 Bizviz, Energy Analytix, Facility Analytix and 8 more | 2020-07-29 | 5.0 MEDIUM | 7.5 HIGH |
| A specially crafted communication packet sent to the affected device could cause a denial-of-service condition due to a deserialization vulnerability. This affects: Mitsubishi Electric MC Works64 Version 4.02C (10.95.208.31) and earlier, all versions; Mitsubishi Electric MC Works32 Version 3.00A (9.50.255.02); ICONICS GenBroker64, Platform Services, Workbench, FrameWorX Server v10.96 and prior; ICONICS GenBroker32 v9.5 and prior. | |||||
| CVE-2020-10917 | 1 Nec | 1 Esmpro Manager | 2020-07-28 | 7.5 HIGH | 9.8 CRITICAL |
| This vulnerability allows remote attackers to execute arbitrary code on affected installations of NEC ESMPRO Manager 6.42. Authentication is not required to exploit this vulnerability. The specific flaw exists within the RMI service. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code in the context of SYSTEM. Was ZDI-CAN-10007. | |||||
| CVE-2020-15842 | 1 Liferay | 2 Dxp, Liferay Portal | 2020-07-24 | 6.8 MEDIUM | 8.1 HIGH |
| Liferay Portal before 7.3.0, and Liferay DXP 7.0 before fix pack 90, 7.1 before fix pack 17, and 7.2 before fix pack 5, allows man-in-the-middle attackers to execute arbitrary code via crafted serialized payloads, because of insecure deserialization. | |||||
| CVE-2020-11982 | 1 Apache | 1 Airflow | 2020-07-24 | 7.5 HIGH | 9.8 CRITICAL |
| An issue was found in Apache Airflow versions 1.10.10 and below. When using CeleryExecutor, if an attack can connect to the broker (Redis, RabbitMQ) directly, it was possible to insert a malicious payload directly to the broker which could lead to a deserialization attack (and thus remote code execution) on the Worker. | |||||
| CVE-2020-14000 | 1 Mit | 1 Scratch-vm | 2020-07-24 | 7.5 HIGH | 9.8 CRITICAL |
| MIT Lifelong Kindergarten Scratch scratch-vm before 0.2.0-prerelease.20200714185213 loads extension URLs from untrusted project.json files with certain _ characters, resulting in remote code execution because the URL's content is treated as a script and is executed as a worker. The responsible code is getExtensionIdForOpcode in serialization/sb3.js. The use of _ is incompatible with a protection mechanism in older versions, in which URLs were split and consequently deserialization attacks were prevented. NOTE: the scratch.mit.edu hosted service is not affected because of the lack of worker scripts. | |||||
| CVE-2020-1439 | 1 Microsoft | 3 Sharepoint Enterprise Server, Sharepoint Foundation, Sharepoint Server | 2020-07-23 | 6.5 MEDIUM | 8.8 HIGH |
| A remote code execution vulnerability exists in PerformancePoint Services for SharePoint Server when the software fails to check the source markup of XML file input, aka 'PerformancePoint Services Remote Code Execution Vulnerability'. | |||||
| CVE-2020-4464 | 1 Ibm | 1 Websphere Application Server | 2020-07-22 | 9.0 HIGH | 8.8 HIGH |
| IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 traditional could allow a remote attacker to execute arbitrary code on a system with a specially-crafted sequence of serialized objects over the SOAP connector. IBM X-Force ID: 181489. | |||||
| CVE-2020-12015 | 2 Iconics, Mitsubishielectric | 11 Bizviz, Energy Analytix, Facility Analytix and 8 more | 2020-07-22 | 5.0 MEDIUM | 7.5 HIGH |
| A specially crafted communication packet sent to the affected systems could cause a denial-of-service condition due to improper deserialization. This issue affects: Mitsubishi Electric MC Works64 version 4.02C (10.95.208.31) and earlier, all versions; Mitsubishi Electric MC Works32 version 3.00A (9.50.255.02); ICONICS GenBroker64, Platform Services, Workbench, FrameWorX Server version 10.96 and prior; ICONICS GenBroker32 version 9.5 and prior. | |||||
| CVE-2020-1948 | 1 Apache | 1 Dubbo | 2020-07-21 | 7.5 HIGH | 9.8 CRITICAL |
| This vulnerability can affect all Dubbo users stay on version 2.7.6 or lower. An attacker can send RPC requests with unrecognized service name or method name along with some malicious parameter payloads. When the malicious parameter is deserialized, it will execute some malicious code. More details can be found below. | |||||
| CVE-2020-4305 | 1 Ibm | 2 Infosphere Information Server, Infosphere Information Server On Cloud | 2020-07-17 | 9.3 HIGH | 8.8 HIGH |
| IBM InfoSphere Information Server 11.3, 11.5, and 11.7 could allow a remote attacker to execute arbitrary code on the system, caused by the deserialization of untrusted data. By persuading a victim to visit a specially crafted Web site, an attacker could exploit this vulnerability to execute arbitrary code on the system. IBM X-Force ID: 176677. | |||||
| CVE-2016-5019 | 1 Apache | 1 Myfaces Trinidad | 2020-07-14 | 7.5 HIGH | 9.8 CRITICAL |
| CoreResponseStateManager in Apache MyFaces Trinidad 1.0.0 through 1.0.13, 1.2.x before 1.2.15, 2.0.x before 2.0.2, and 2.1.x before 2.1.2 might allow attackers to conduct deserialization attacks via a crafted serialized view state string. | |||||
| CVE-2016-6814 | 2 Apache, Redhat | 2 Groovy, Enterprise Linux Server | 2020-07-14 | 7.5 HIGH | 9.8 CRITICAL |
| When an application with unsupported Codehaus versions of Groovy from 1.7.0 to 2.4.3, Apache Groovy 2.4.4 to 2.4.7 on classpath uses standard Java serialization mechanisms, e.g. to communicate between servers or to store local data, it was possible for an attacker to bake a special serialized object that will execute code directly when deserialized. All applications which rely on serialization and do not isolate the code which deserializes objects were subject to this vulnerability. | |||||
| CVE-2016-4000 | 2 Debian, Jython Project | 2 Debian Linux, Jython | 2020-07-14 | 7.5 HIGH | 9.8 CRITICAL |
| Jython before 2.7.1rc1 allows attackers to execute arbitrary code via a crafted serialized PyFunction object. | |||||
| CVE-2015-7501 | 1 Redhat | 15 Data Grid, Jboss A-mq, Jboss Bpm Suite and 12 more | 2020-07-14 | 10.0 HIGH | 9.8 CRITICAL |
| Red Hat JBoss A-MQ 6.x; BPM Suite (BPMS) 6.x; BRMS 6.x and 5.x; Data Grid (JDG) 6.x; Data Virtualization (JDV) 6.x and 5.x; Enterprise Application Platform 6.x, 5.x, and 4.3.x; Fuse 6.x; Fuse Service Works (FSW) 6.x; Operations Network (JBoss ON) 3.x; Portal 6.x; SOA Platform (SOA-P) 5.x; Web Server (JWS) 3.x; Red Hat OpenShift/xPAAS 3.x; and Red Hat Subscription Asset Manager 1.3 allow remote attackers to execute arbitrary commands via a crafted serialized Java object, related to the Apache Commons Collections (ACC) library. | |||||