Total
934 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2019-18580 | 1 Dell | 1 Emc Storage Monitoring And Reporting | 2019-12-16 | 10.0 HIGH | 10.0 CRITICAL |
| Dell EMC Storage Monitoring and Reporting version 4.3.1 contains a Java RMI Deserialization of Untrusted Data vulnerability. A remote unauthenticated attacker may potentially exploit this vulnerability by sending a crafted RMI request to execute arbitrary code on the target host. | |||||
| CVE-2019-17556 | 1 Apache | 1 Olingo | 2019-12-13 | 10.0 HIGH | 9.8 CRITICAL |
| Apache Olingo versions 4.0.0 to 4.6.0 provide the AbstractService class, which is public API, uses ObjectInputStream and doesn't check classes being deserialized. If an attacker can feed malicious metadata to the class, then it may result in running attacker's code in the worse case. | |||||
| CVE-2017-1000053 | 1 Plug Project | 1 Plug | 2019-12-13 | 6.8 MEDIUM | 8.1 HIGH |
| Elixir Plug before v1.0.4, v1.1.7, v1.2.3 and v1.3.2 is vulnerable to arbitrary code execution in the deserialization functions of Plug.Session. | |||||
| CVE-2019-19230 | 3 Broadcom, Linux, Microsoft | 3 Nolio, Linux Kernel, Windows | 2019-12-12 | 7.5 HIGH | 9.8 CRITICAL |
| An unsafe deserialization vulnerability exists in CA Release Automation (Nolio) 6.6 with the DataManagement component that can allow a remote attacker to execute arbitrary code. | |||||
| CVE-2019-15271 | 1 Cisco | 8 Rv016 Multi-wan Vpn, Rv016 Multi-wan Vpn Firmware, Rv042 Dual Wan Vpn and 5 more | 2019-12-11 | 9.0 HIGH | 8.8 HIGH |
| A vulnerability in the web-based management interface of certain Cisco Small Business RV Series Routers could allow an authenticated, remote attacker to execute arbitrary commands with root privileges. The attacker must have either a valid credential or an active session token. The vulnerability is due to lack of input validation of the HTTP payload. An attacker could exploit this vulnerability by sending a malicious HTTP request to the web-based management interface of the targeted device. A successful exploit could allow the attacker to execute commands with root privileges. | |||||
| CVE-2019-17206 | 1 Redis Wrapper Project | 1 Redis Wrapper | 2019-12-09 | 7.5 HIGH | 9.8 CRITICAL |
| Uncontrolled deserialization of a pickled object in models.py in Frost Ming rediswrapper (aka Redis Wrapper) before 0.3.0 allows attackers to execute arbitrary scripts. | |||||
| CVE-2019-4561 | 1 Ibm | 1 Security Identity Manager | 2019-11-22 | 9.3 HIGH | 8.8 HIGH |
| IBM Security Identity Manager 6.0.0 could allow a remote attacker to execute arbitrary code on the system, caused by the deserialization of untrusted data. By persuading a victim to visit a specially crafted Web site, an attacker could exploit this vulnerability to execute arbitrary code on the system. IBM X-Force ID: 166456. | |||||
| CVE-2019-1373 | 1 Microsoft | 1 Exchange Server | 2019-11-14 | 7.5 HIGH | 9.8 CRITICAL |
| A remote code execution vulnerability exists in Microsoft Exchange through the deserialization of metadata via PowerShell, aka 'Microsoft Exchange Remote Code Execution Vulnerability'. | |||||
| CVE-2019-8141 | 1 Magento | 1 Magento | 2019-11-07 | 6.5 MEDIUM | 7.2 HIGH |
| A remote code execution vulnerability exists in Magento 2.1 prior to 2.1.19, Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3. An authenticated user with administrative privileges (system level import) can execute arbitrary code through a Phar deserialization vulnerability in the import functionality. | |||||
| CVE-2019-18601 | 1 Openafs | 1 Openafs | 2019-11-05 | 5.0 MEDIUM | 7.5 HIGH |
| OpenAFS before 1.6.24 and 1.8.x before 1.8.5 is prone to denial of service from unserialized data access because remote attackers can make a series of VOTE_Debug RPC calls to crash a database server within the SVOTE_Debug RPC handler. | |||||
| CVE-2019-18364 | 1 Jetbrains | 1 Teamcity | 2019-11-01 | 7.5 HIGH | 9.8 CRITICAL |
| In JetBrains TeamCity before 2019.1.4, insecure Java Deserialization could potentially allow remote code execution. | |||||
| CVE-2019-13116 | 1 Mulesoft | 1 Mule Runtime | 2019-10-29 | 7.5 HIGH | 9.8 CRITICAL |
| The MuleSoft Mule Community Edition runtime engine before 3.8 allows remote attackers to execute arbitrary code because of Java Deserialization, related to Apache Commons Collections | |||||
| CVE-2017-14141 | 1 Kaltura | 1 Kaltura Server | 2019-10-17 | 6.5 MEDIUM | 7.2 HIGH |
| The wiki_decode Developer System Helper function in the admin panel in Kaltura before 13.2.0 allows remote attackers to conduct PHP object injection attacks and execute arbitrary PHP code via a crafted serialized object. | |||||
| CVE-2019-6338 | 2 Debian, Drupal | 2 Debian Linux, Drupal | 2019-10-09 | 6.0 MEDIUM | 8.0 HIGH |
| In Drupal Core versions 7.x prior to 7.62, 8.6.x prior to 8.6.6 and 8.5.x prior to 8.5.9; Drupal core uses the third-party PEAR Archive_Tar library. This library has released a security update which impacts some Drupal configurations. Refer to CVE-2018-1000888 for details | |||||
| CVE-2019-5434 | 1 Revive-sas | 1 Revive Adserver | 2019-10-09 | 7.5 HIGH | 9.8 CRITICAL |
| An attacker could send a specifically crafted payload to the XML-RPC invocation script and trigger the unserialize() call on the "what" parameter in the "openads.spc" RPC method. Such vulnerability could be used to perform various types of attacks, e.g. exploit serialize-related PHP vulnerabilities or PHP object injection. It is possible, although unconfirmed, that the vulnerability has been used by some attackers in order to gain access to some Revive Adserver instances and deliver malware through them to third party websites. This vulnerability was addressed in version 4.2.0. | |||||
| CVE-2019-12799 | 1 Shopware | 1 Shopware | 2019-10-09 | 6.5 MEDIUM | 8.8 HIGH |
| In createInstanceFromNamedArguments in Shopware through 5.6.x, a crafted web request can trigger a PHP object instantiation vulnerability, which can result in an arbitrary deserialization if the right class is instantiated. An attacker can leverage this deserialization to achieve remote code execution. NOTE: this issue is a bypass for a CVE-2017-18357 whitelist patch. | |||||
| CVE-2019-12630 | 1 Cisco | 1 Security Manager | 2019-10-09 | 7.5 HIGH | 9.8 CRITICAL |
| A vulnerability in the Java deserialization function used by Cisco Security Manager could allow an unauthenticated, remote attacker to execute arbitrary commands on an affected device. The vulnerability is due to insecure deserialization of user-supplied content by the affected software. An attacker could exploit this vulnerability by sending a malicious serialized Java object to a specific listener on an affected system. A successful exploit could allow the attacker to execute arbitrary commands on the device with the privileges of casuser. | |||||
| CVE-2018-7529 | 1 Osisoft | 1 Pi Data Archive | 2019-10-09 | 7.8 HIGH | 7.5 HIGH |
| A Deserialization of Untrusted Data issue was discovered in OSIsoft PI Data Archive versions 2017 and prior. Unauthenticated users may modify deserialized data to send custom requests that crash the server. | |||||
| CVE-2018-6331 | 1 Facebook | 1 Buck | 2019-10-09 | 7.5 HIGH | 9.8 CRITICAL |
| Buck parser-cache command loads/saves state using Java serialized object. If the state information is maliciously crafted, deserializing it could lead to code execution. This issue affects Buck versions prior to v2018.06.25.01. | |||||
| CVE-2018-1851 | 1 Ibm | 1 Websphere Application Server | 2019-10-09 | 7.5 HIGH | 9.8 CRITICAL |
| IBM WebSphere Application Server Liberty OpenID Connect could allow a remote attacker to execute arbitrary code on the system, caused by improper deserialization. By sending a specially-crafted request to the RP service, an attacker could exploit this vulnerability to execute arbitrary code. IBM X-Force ID: 150999. | |||||