Vulnerabilities (CVE)

Join the Common Vulnerabilities and Exposures (CVE) community and start to get notified about new vulnerabilities.

Filtered by CWE-502
Total 934 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2022-41966 1 Xstream Project 1 Xstream 2023-01-06 N/A 7.5 HIGH
XStream serializes Java objects to XML and back again. Versions prior to 1.4.20 may allow a remote attacker to terminate the application with a stack overflow error, resulting in a denial of service only via manipulation the processed input stream. The attack uses the hash code implementation for collections and maps to force recursive hash calculation causing a stack overflow. This issue is patched in version 1.4.20 which handles the stack overflow and raises an InputManipulationException instead. A potential workaround for users who only use HashMap or HashSet and whose XML refers these only as default map or set, is to change the default implementation of java.util.Map and java.util per the code example in the referenced advisory. However, this implies that your application does not care about the implementation of the map and all elements are comparable.
CVE-2020-10650 2 Fasterxml, Oracle 3 Jackson-databind, Retail Merchandising System, Retail Sales Audit 2023-01-05 N/A 8.1 HIGH
A deserialization flaw was discovered in jackson-databind through It could allow an unauthenticated user to perform code execution via ignite-jta or quartz-core: org.apache.ignite.cache.jta.jndi.CacheJndiTmLookup, org.apache.ignite.cache.jta.jndi.CacheJndiTmFactory, and org.quartz.utils.JNDIConnectionProvider.
CVE-2022-4120 1 Trumani 1 Stop Spammers 2023-01-04 N/A 9.8 CRITICAL
The Stop Spammers Security | Block Spam Users, Comments, Forms WordPress plugin before 2022.6 passes base64 encoded user input to the unserialize() PHP function when CAPTCHA are used as second challenge, which could lead to PHP Object injection if a plugin installed on the blog has a suitable gadget chain
CVE-2022-41596 1 Huawei 2 Emui, Harmonyos 2022-12-23 N/A 7.5 HIGH
The system tool has inconsistent serialization and deserialization. Successful exploitation of this vulnerability will cause unauthorized startup of components.
CVE-2022-44542 1 Lesspipe Project 1 Lesspipe 2022-12-22 N/A 9.8 CRITICAL
lesspipe before 2.06 allows attackers to execute code via Perl Storable (pst) files, because of deserialized object destructor execution via a key/value pair in a hash.
CVE-2021-38241 1 Ruoyi 1 Ruoyi 2022-12-21 N/A 9.8 CRITICAL
Deserialization issue discovered in Ruoyi before 4.6.1 allows remote attackers to run arbitrary code via weak cipher in Shiro framework.
CVE-2022-40955 1 Apache 1 Inlong 2022-12-21 N/A 8.8 HIGH
In versions of Apache InLong prior to 1.3.0, an attacker with sufficient privileges to specify MySQL JDBC connection URL parameters and to write arbitrary data to the MySQL database, could cause this data to be deserialized by Apache InLong, potentially leading to Remote Code Execution on the Apache InLong server. Users are advised to upgrade to Apache InLong 1.3.0 or newer.
CVE-2021-33420 1 Replicator Project 1 Replicator 2022-12-20 N/A 9.8 CRITICAL
A deserialization issue discovered in inikulin replicator before 1.0.4 allows remote attackers to run arbitrary code via the fromSerializable function in TypedArray object.
CVE-2022-3900 1 Boxystudio 1 Cooked 2022-12-14 N/A 9.8 CRITICAL
The Cooked Pro WordPress plugin before does not properly validate or sanitize the recipe_args parameter before unserializing it in the cooked_loadmore action, allowing an unauthenticated attacker to trigger a PHP Object injection vulnerability.
CVE-2019-17571 6 Apache, Canonical, Debian and 3 more 17 Bookkeeper, Log4j, Ubuntu Linux and 14 more 2022-12-14 7.5 HIGH 9.8 CRITICAL
Included in Log4j 1.2 is a SocketServer class that is vulnerable to deserialization of untrusted data which can be exploited to remotely execute arbitrary code when combined with a deserialization gadget when listening to untrusted network traffic for log data. This affects Log4j versions up to 1.2 up to 1.2.17.
CVE-2016-9045 1 Processmaker 1 Processmaker 2022-12-14 6.5 MEDIUM 8.8 HIGH
A code execution vulnerability exists in ProcessMaker Enterprise Core A specially crafted web request can cause unsafe deserialization potentially resulting in PHP code being executed. An attacker can send a crafted web parameter to trigger this vulnerability.
CVE-2021-42550 4 Netapp, Qos, Redhat and 1 more 6 Cloud Manager, Service Level Manager, Snap Creator Framework and 3 more 2022-12-12 8.5 HIGH 6.6 MEDIUM
In logback version 1.2.7 and prior versions, an attacker with the required privileges to edit configurations files could craft a malicious configuration allowing to execute arbitrary code loaded from LDAP servers.
CVE-2022-44351 1 Skycaiji 1 Skycaiji 2022-12-09 N/A 9.8 CRITICAL
Skycaiji v2.5.1 was discovered to contain a deserialization vulnerability via /SkycaijiApp/admin/controller/Mystore.php.
CVE-2022-44371 1 Hope-boot Project 1 Hope-boot 2022-12-09 N/A 9.8 CRITICAL
hope-boot 1.0.0 has a deserialization vulnerability that can cause Remote Code Execution (RCE).
CVE-2022-32224 1 Activerecord Project 1 Activerecord 2022-12-08 N/A 9.8 CRITICAL
A possible escalation to RCE vulnerability exists when using YAML serialized columns in Active Record <, <, < and < which could allow an attacker, that can manipulate data in the database (via means like SQL injection), the ability to escalate to an RCE.
CVE-2016-1000027 1 Vmware 1 Spring Framework 2022-12-07 7.5 HIGH 9.8 CRITICAL
Pivotal Spring Framework through 5.3.16 suffers from a potential remote code execution (RCE) issue if used for Java deserialization of untrusted data. Depending on how the library is implemented within a product, this issue may or not occur, and authentication may be required. NOTE: the vendor's position is that untrusted data is not an intended use case. The product's behavior will not be changed because some users rely on deserialization of trusted data.
CVE-2022-3357 1 Nextendweb 1 Smart Slider 3 2022-12-06 N/A 8.8 HIGH
The Smart Slider 3 WordPress plugin before unserialises the content of an imported file, which could lead to PHP object injection issues when a user import (intentionally or not) a malicious file, and a suitable gadget chain is present on the site.
CVE-2019-9061 1 Cmsmadesimple 1 Cms Made Simple 2022-12-02 6.5 MEDIUM 8.8 HIGH
An issue was discovered in CMS Made Simple 2.2.8. In the module ModuleManager (in the file action.installmodule.php), it is possible to reach an unserialize call with untrusted input and achieve authenticated object injection by using the "install module" feature.
CVE-2018-19296 4 Debian, Fedoraproject, Phpmailer Project and 1 more 4 Debian Linux, Fedora, Phpmailer and 1 more 2022-12-02 6.8 MEDIUM 8.8 HIGH
PHPMailer before 5.2.27 and 6.x before 6.0.6 is vulnerable to an object injection attack.
CVE-2018-19274 2 Debian, Phpbb 2 Debian Linux, Phpbb 2022-12-02 6.5 MEDIUM 7.2 HIGH
Passing an absolute path to a file_exists check in phpBB before 3.2.4 allows Remote Code Execution through Object Injection by employing Phar deserialization when an attacker has access to the Admin Control Panel with founder permissions.