Vulnerabilities (CVE)

Join the Common Vulnerabilities and Exposures (CVE) community and start to get notified about new vulnerabilities.

Filtered by CWE-502
Total 934 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2019-14892 3 Apache, Fasterxml, Redhat 8 Geode, Jackson-databind, Decision Manager and 5 more 2023-02-02 7.5 HIGH 9.8 CRITICAL
A flaw was discovered in jackson-databind in versions before 2.9.10, 2.8.11.5 and 2.6.7.3, where it would permit polymorphic deserialization of a malicious object using commons-configuration 1 and 2 JNDI classes. An attacker could use this flaw to execute arbitrary code.
CVE-2018-3972 1 Getmonero 1 Monero 2023-02-02 7.5 HIGH 9.8 CRITICAL
An exploitable code execution vulnerability exists in the Levin deserialization functionality of the Epee library, as used in Monero 'Lithium Luna' (v0.12.2.0-master-ffab6700) and other cryptocurrencies. A specially crafted network packet can cause a logic flaw, resulting in code execution. An attacker can send a packet to trigger this vulnerability.
CVE-2022-31710 1 Vmware 1 Vrealize Log Insight 2023-02-01 N/A 7.5 HIGH
vRealize Log Insight contains a deserialization vulnerability. An unauthenticated malicious actor can remotely trigger the deserialization of untrusted data which could result in a denial of service.
CVE-2022-3359 1 Averta 1 Shortcodes And Extra Features For Phlox Theme 2023-02-01 N/A 8.8 HIGH
The Shortcodes and extra features for Phlox theme WordPress plugin before 2.10.7 unserializes the content of an imported file, which could lead to PHP object injection when a user imports (intentionally or not) a malicious file and a suitable gadget chain is present on the blog.
CVE-2022-3425 1 Sumo 1 Google Analyticator 2023-01-31 N/A 7.2 HIGH
The Analyticator WordPress plugin before 6.5.6 unserializes user input provided via the settings, which could allow high-privilege users such as admin to perform PHP Object Injection when a suitable gadget is present.
CVE-2022-4323 1 Sumo 1 Google Analyticator 2023-01-30 N/A 7.2 HIGH
The Analyticator WordPress plugin before 6.5.6 unserializes user input provided via the settings, which could allow high privilege users such as admin to perform PHP Object Injection when a suitable gadget is present
CVE-2022-45923 1 Opentext 1 Opentext Extended Ecm 2023-01-30 N/A 8.8 HIGH
An issue was discovered in OpenText Content Suite Platform 22.1 (16.2.19.1803). The Common Gateway Interface (CGI) program cs.exe allows an attacker to increase/decrease an arbitrary memory address by 1 and trigger a call to a method of a vftable with a vftable pointer value chosen by the attacker.
CVE-2023-22850 1 Tiki 1 Tiki 2023-01-25 N/A 8.8 HIGH
Tiki before 24.1, when the Spreadsheets feature is enabled, allows lib/sheet/grid.php PHP Object Injection because of an unserialize call.
CVE-2022-4890 1 Predictapp Project 1 Predictapp 2023-01-24 N/A 9.8 CRITICAL
A vulnerability, which was classified as critical, has been found in abhilash1985 PredictApp. This issue affects some unknown processing of the file config/initializers/new_framework_defaults_7_0.rb of the component Cookie Handler. The manipulation leads to deserialization. The attack may be initiated remotely. The name of the patch is b067372f3ee26fe1b657121f0f41883ff4461a06. It is recommended to apply a patch to fix this issue. The associated identifier of this vulnerability is VDB-218387.
CVE-2022-41778 1 Deltaww 1 Infrasuite Device Master 2023-01-23 N/A 8.8 HIGH
Delta Electronics InfraSuite Device Master versions 00.00.01a and prior deserialize user-supplied data provided through the Device-DataCollect service port without proper verification. An attacker could provide malicious serialized objects to execute arbitrary code upon deserialization.
CVE-2022-46478 1 Datax-web Project 1 Datax-web 2023-01-23 N/A 9.8 CRITICAL
The RPC interface in datax-web v1.0.0 and v2.0.0 to v2.1.2 contains no permission checks by default which allows attackers to execute arbitrary commands via crafted Hessian serialized data.
CVE-2021-39144 5 Debian, Fedoraproject, Netapp and 2 more 15 Debian Linux, Fedora, Snapmanager and 12 more 2023-01-20 6.0 MEDIUM 8.5 HIGH
XStream is a simple library to serialize objects to XML and back again. In affected versions this vulnerability may allow a remote attacker has sufficient rights to execute commands of the host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses no longer a blacklist by default, since it cannot be secured for general purpose.
CVE-2022-3679 1 Kadencewp 1 Starter Templates 2023-01-12 N/A 8.8 HIGH
The Starter Templates by Kadence WP WordPress plugin before 1.2.17 unserialises the content of an imported file, which could lead to PHP object injection issues when an admin import (intentionally or not) a malicious file and a suitable gadget chain is present on the blog.
CVE-2022-3417 1 Bravenewcode 1 Wptouch 2023-01-12 N/A 8.8 HIGH
The WPtouch WordPress plugin before 4.3.45 unserialises the content of an imported settings file, which could lead to PHP object injections issues when an user import (intentionally or not) a malicious settings file and a suitable gadget chain is present on the blog.
CVE-2022-4043 1 Wp Custom Admin Interface Project 1 Wp Custom Admin Interface 2023-01-12 N/A 7.2 HIGH
The WP Custom Admin Interface WordPress plugin before 7.29 unserialize user input provided via the settings, which could allow high privilege users such as admin to perform PHP Object Injection when a suitable gadget is present.
CVE-2021-32824 1 Apache 1 Dubbo 2023-01-10 N/A 9.8 CRITICAL
Apache Dubbo is a java based, open source RPC framework. Versions prior to 2.6.10 and 2.7.10 are vulnerable to pre-auth remote code execution via arbitrary bean manipulation in the Telnet handler. The Dubbo main service port can be used to access a Telnet Handler which offers some basic methods to collect information about the providers and methods exposed by the service and it can even allow to shutdown the service. This endpoint is unprotected. Additionally, a provider method can be invoked using the `invoke` handler. This handler uses a safe version of FastJson to process the call arguments. However, the resulting list is later processed with `PojoUtils.realize` which can be used to instantiate arbitrary classes and invoke its setters. Even though FastJson is properly protected with a default blocklist, `PojoUtils.realize` is not, and an attacker can leverage that to achieve remote code execution. Versions 2.6.10 and 2.7.10 contain fixes for this issue.
CVE-2022-4302 1 Videousermanuals 1 White Label Cms 2023-01-09 N/A 7.2 HIGH
The White Label CMS WordPress plugin before 2.5 unserializes user input provided via the settings, which could allow high-privilege users such as admin to perform PHP Object Injection when a suitable gadget is present.
CVE-2022-4324 1 Wpgogo 1 Custom Field Template 2023-01-09 N/A 7.2 HIGH
The Custom Field Template WordPress plugin before 2.5.8 unserialises the content of an imported file, which could lead to PHP object injections issues when a high privilege user import (intentionally or not) a malicious Customizer Styling file and a suitable gadget chain is present on the blog.
CVE-2022-4237 1 Collne 1 Welcart E-commerce 2023-01-09 N/A 8.8 HIGH
The Welcart e-Commerce WordPress plugin before 2.8.6 does not validate user input before using it in file_exist() functions via various AJAX actions available to any authenticated users, which could allow users with a role as low as subscriber to perform PHAR deserialisation when they can upload a file and a suitable gadget chain is present on the blog
CVE-2021-31010 1 Apple 5 Ipados, Iphone Os, Mac Os X and 2 more 2023-01-09 5.0 MEDIUM 7.5 HIGH
A deserialization issue was addressed through improved validation. This issue is fixed in Security Update 2021-005 Catalina, iOS 12.5.5, iOS 14.8 and iPadOS 14.8, macOS Big Sur 11.6, watchOS 7.6.2. A sandboxed process may be able to circumvent sandbox restrictions. Apple was aware of a report that this issue may have been actively exploited at the time of release..