Vulnerabilities (CVE)

Join the Common Vulnerabilities and Exposures (CVE) community and start to get notified about new vulnerabilities.

Filtered by CWE-502
Total 934 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2019-16755 1 Bmc 1 Myit Digital Workplace 2019-10-02 7.5 HIGH 9.8 CRITICAL
BMC Remedy ITSM Suite is prone to unspecified vulnerabilities in both DWP and SmartIT components, which can permit remote attackers to perform pre-authenticated remote commands execution on the Operating System running the targeted application. Affected DWP versions: versions: 3.x to 18.x, all versions, service packs, and patches are affected by this vulnerability. Affected SmartIT versions: 1.x, 2.0, 18.05, 18.08, and 19.02, all versions, service packs, and patches are affected by this vulnerability.
CVE-2019-6446 2 Fedoraproject, Numpy 2 Fedora, Numpy 2019-09-30 7.5 HIGH 9.8 CRITICAL
** DISPUTED ** An issue was discovered in NumPy 1.16.0 and earlier. It uses the pickle Python module unsafely, which allows remote attackers to execute arbitrary code via a crafted serialized object, as demonstrated by a numpy.load call. NOTE: third parties dispute this issue because it is a behavior that might have legitimate applications in (for example) loading serialized Python object arrays from trusted and authenticated sources.
CVE-2019-11666 1 Microfocus 1 Service Manager 2019-09-18 6.8 MEDIUM 8.8 HIGH
Insecure deserialization of untrusted data in Micro Focus Service Manager product versions 9.30, 9.31, 9.32, 9.33, 9.34, 9.35, 9.40, 9.41, 9.50, 9.51, 9.52, 9.60, 9.61, 9.62. The vulnerability could be exploited to allow insecure deserialization of untrusted data.
CVE-2019-16317 1 Pimcore 1 Pimcore 2019-09-17 6.5 MEDIUM 8.8 HIGH
In Pimcore before 5.7.1, an attacker with limited privileges can trigger execution of a .phar file via a phar:// URL in a filename parameter, because PHAR uploads are not blocked and are reachable within the phar://../../../../../../../../var/www/html/web/var/assets/ directory, a different vulnerability than CVE-2019-10867 and CVE-2019-16318.
CVE-2017-18604 1 Sitebuilder Dynamic Components Project 1 Sitebuilder Dynamic Components 2019-09-11 5.0 MEDIUM 7.5 HIGH
The sitebuilder-dynamic-components plugin through 1.0 for WordPress has PHP object injection via an AJAX request.
CVE-2017-18605 1 Gravitatedesign 1 Gravitate Qa Tracker 2019-09-10 7.5 HIGH 9.8 CRITICAL
The gravitate-qa-tracker plugin through 1.2.1 for WordPress has PHP Object Injection.
CVE-2018-11569 1 Eventum Project 1 Eventum 2019-09-06 7.5 HIGH 9.8 CRITICAL
Controller/ListController.php in Eventum 3.5.0 is vulnerable to Deserialization of Untrusted Data. Fixed in version 3.5.2.
CVE-2019-15521 2 Fork-cms, Spoon-library 2 Fork Cms, Spoon Library 2019-08-28 7.5 HIGH 9.8 CRITICAL
Spoon Library through 2014-02-06, as used in Fork CMS before 1.4.1 and other products, allows PHP object injection via a cookie containing an object.
CVE-2018-20987 1 Tribulant 1 Newsletters 2019-08-23 7.5 HIGH 9.8 CRITICAL
The newsletters-lite plugin before 4.6.8.6 for WordPress has PHP object injection.
CVE-2019-12240 1 Virim Project 1 Virim 2019-08-22 7.5 HIGH 9.8 CRITICAL
The Virim plugin 0.4 for WordPress allows Insecure Deserialization via s_values, t_values, or c_values in graph.php.
CVE-2017-9805 1 Apache 1 Struts 2019-08-12 6.8 MEDIUM 8.1 HIGH
The REST Plugin in Apache Struts 2.1.1 through 2.3.x before 2.3.34 and 2.5.x before 2.5.13 uses an XStreamHandler with an instance of XStream for deserialization without any type filtering, which can lead to Remote Code Execution when deserializing XML payloads.
CVE-2016-10750 1 Hazelcast 1 Hazelcast 2019-08-08 6.8 MEDIUM 8.1 HIGH
In Hazelcast before 3.11, the cluster join procedure is vulnerable to remote code execution via Java deserialization. If an attacker can reach a listening Hazelcast instance with a crafted JoinRequest, and vulnerable classes exist in the classpath, the attacker can run arbitrary code.
CVE-2018-15133 1 Laravel 1 Laravel 2019-07-15 6.8 MEDIUM 8.1 HIGH
In Laravel Framework through 5.5.40 and 5.6.x through 5.6.29, remote code execution might occur as a result of an unserialize call on a potentially untrusted X-XSRF-TOKEN value. This involves the decrypt method in Illuminate/Encryption/Encrypter.php and PendingBroadcast in gadgetchains/Laravel/RCE/3/chain.php in phpggc. The attacker must know the application key, which normally would never occur, but could happen if the attacker previously had privileged access or successfully accomplished a previous attack.
CVE-2019-10912 1 Sensiolabs 1 Symfony 2019-07-12 6.5 MEDIUM 7.1 HIGH
In Symfony before 2.8.50, 3.x before 3.4.26, 4.x before 4.1.12, and 4.2.x before 4.2.7, it is possible to cache objects that may contain bad user input. On serialization or unserialization, this could result in the deletion of files that the current user has access to. This is related to symfony/cache and symfony/phpunit-bridge.
CVE-2019-12760 1 Parso Project 1 Parso 2019-07-05 6.0 MEDIUM 7.5 HIGH
** DISPUTED ** A deserialization vulnerability exists in the way parso through 0.4.0 handles grammar parsing from the cache. Cache loading relies on pickle and, provided that an evil pickle can be written to a cache grammar file and that its parsing can be triggered, this flaw leads to Arbitrary Code Execution. NOTE: This is disputed because "the cache directory is not under control of the attacker in any common configuration."
CVE-2019-11011 1 Akamai 1 Cloudtest 2019-06-23 7.5 HIGH 9.8 CRITICAL
Akamai CloudTest before 58.30 allows remote code execution.
CVE-2016-3957 1 Web2py 1 Web2py 2019-06-21 7.5 HIGH 9.8 CRITICAL
The secure_load function in gluon/utils.py in web2py before 2.14.2 uses pickle.loads to deserialize session information stored in cookies, which might allow remote attackers to execute arbitrary code by leveraging knowledge of encryption_key.
CVE-2018-15890 1 Ethereum 1 Ethereumj 2019-06-20 10.0 HIGH 9.8 CRITICAL
An issue was discovered in EthereumJ 1.8.2. There is Unsafe Deserialization in ois.readObject in mine/Ethash.java and decoder.readObject in crypto/ECKey.java. When a node syncs and mines a new block, arbitrary OS commands can be run on the server.
CVE-2019-12868 1 Misp 1 Misp 2019-06-18 6.5 MEDIUM 7.2 HIGH
app/Model/Server.php in MISP 2.4.109 allows remote command execution by a super administrator because the PHP file_exists function is used with user-controlled entries, and phar:// URLs trigger deserialization.
CVE-2019-11080 1 Sitecore 1 Experience Platform 2019-06-13 9.0 HIGH 8.8 HIGH
Sitecore Experience Platform (XP) prior to 9.1.1 is vulnerable to remote code execution via deserialization, aka TFS # 293863. An authenticated user with necessary permissions is able to remotely execute OS commands by sending a crafted serialized object.