Search
Total
865 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2023-32636 | 1 Gnome | 1 Glib | 2024-01-12 | N/A | 7.5 HIGH |
| A flaw was found in glib, where the gvariant deserialization code is vulnerable to a denial of service introduced by additional input validation added to resolve CVE-2023-29499. The offset table validation may be very slow. This bug does not affect any released version of glib but does affect glib distributors who followed the guidance of glib developers to backport the initial fix for CVE-2023-29499. | |||||
| CVE-2023-26436 | 1 Open-xchange | 1 Open-xchange Appsuite Backend | 2024-01-12 | N/A | 8.8 HIGH |
| Attackers with access to the "documentconverterws" API were able to inject serialized Java objects, that were not properly checked during deserialization. Access to this API endpoint is restricted to local networks by default. Arbitrary code could be injected that is being executed when processing the request. A check has been introduced to restrict processing of legal and expected classes for this API. We now log a warning in case there are attempts to inject illegal classes. No publicly available exploits are known. | |||||
| CVE-2023-52202 | 1 Svnlabs | 1 Html5 Mp3 Player With Folder Feedburner Playlist Free | 2024-01-11 | N/A | 7.2 HIGH |
| Deserialization of Untrusted Data vulnerability in SVNLabs Softwares HTML5 MP3 Player with Folder Feedburner Playlist Free.This issue affects HTML5 MP3 Player with Folder Feedburner Playlist Free: from n/a through 2.8.0. | |||||
| CVE-2023-6528 | 1 Themepunch | 1 Slider Revolution | 2024-01-11 | N/A | 8.8 HIGH |
| The Slider Revolution WordPress plugin before 6.6.19 does not prevent users with at least the Author role from unserializing arbitrary content when importing sliders, potentially leading to Remote Code Execution. | |||||
| CVE-2023-52205 | 1 Svnlabs | 1 Html5 Soundcloud Player With Playlist Free | 2024-01-11 | N/A | 7.2 HIGH |
| Deserialization of Untrusted Data vulnerability in SVNLabs Softwares HTML5 SoundCloud Player with Playlist Free.This issue affects HTML5 SoundCloud Player with Playlist Free: from n/a through 2.8.0. | |||||
| CVE-2023-52206 | 1 Blueastral | 1 Page Builder\ | 2024-01-11 | N/A | 7.2 HIGH |
| Deserialization of Untrusted Data vulnerability in Live Composer Team Page Builder: Live Composer live-composer-page-builder.This issue affects Page Builder: Live Composer: from n/a through 1.5.25. | |||||
| CVE-2023-52200 | 1 Reputeinfosystems | 1 Armember | 2024-01-11 | N/A | 9.8 CRITICAL |
| Cross-Site Request Forgery (CSRF), Deserialization of Untrusted Data vulnerability in Repute Infosystems ARMember – Membership Plugin, Content Restriction, Member Levels, User Profile & User signup.This issue affects ARMember – Membership Plugin, Content Restriction, Member Levels, User Profile & User signup: n/a. | |||||
| CVE-2023-5235 | 1 Kutethemes | 1 Ovic Responsive Wpbakery | 2024-01-11 | N/A | 8.8 HIGH |
| The Ovic Responsive WPBakery WordPress plugin before 1.2.9 does not limit which options can be updated via some of its AJAX actions, which may allow attackers with a subscriber+ account to update blog options, such as 'users_can_register' and 'default_role'. It also unserializes user input in the process, which may lead to Object Injection attacks. | |||||
| CVE-2023-52207 | 1 Svnlabs | 1 Html5 Mp3 Player With Playlist Free | 2024-01-11 | N/A | 8.8 HIGH |
| Deserialization of Untrusted Data vulnerability in SVNLabs Softwares HTML5 MP3 Player with Playlist Free.This issue affects HTML5 MP3 Player with Playlist Free: from n/a through 3.0.0. | |||||
| CVE-2024-0302 | 1 Fhs-opensource | 1 Iparking | 2024-01-11 | N/A | 9.8 CRITICAL |
| A vulnerability, which was classified as critical, has been found in fhs-opensource iparking 1.5.22.RELEASE. This issue affects some unknown processing of the file /vueLogin. The manipulation leads to deserialization. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-249869 was assigned to this vulnerability. | |||||
| CVE-2023-52218 | 1 Antonbond | 1 Woocommerce Tranzila Payment Gateway | 2024-01-11 | N/A | 9.8 CRITICAL |
| Deserialization of Untrusted Data vulnerability in Anton Bond Woocommerce Tranzila Payment Gateway.This issue affects Woocommerce Tranzila Payment Gateway: from n/a through 1.0.8. | |||||
| CVE-2023-52219 | 1 Gecka | 1 Terms Thumbnails | 2024-01-11 | N/A | 8.8 HIGH |
| Deserialization of Untrusted Data vulnerability in Gecka Gecka Terms Thumbnails.This issue affects Gecka Terms Thumbnails: from n/a through 1.1. | |||||
| CVE-2023-52225 | 1 Taggbox | 1 Taggbox | 2024-01-11 | N/A | 9.8 CRITICAL |
| Deserialization of Untrusted Data vulnerability in Tagbox Tagbox – UGC Galleries, Social Media Widgets, User Reviews & Analytics.This issue affects Tagbox – UGC Galleries, Social Media Widgets, User Reviews & Analytics: from n/a through 3.1. | |||||
| CVE-2023-6654 | 1 Phpems | 1 Phpems | 2024-01-11 | N/A | 8.8 HIGH |
| A vulnerability classified as critical was found in PHPEMS 6.x/7.x/8.x/9.0. Affected by this vulnerability is an unknown functionality in the library lib/session.cls.php of the component Session Data Handler. The manipulation leads to deserialization. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-247357 was assigned to this vulnerability. | |||||
| CVE-2022-2442 | 1 Wpvivid | 1 Migration\, Backup\, Staging | 2024-01-11 | N/A | 7.2 HIGH |
| The Migration, Backup, Staging – WPvivid plugin for WordPress is vulnerable to deserialization of untrusted input via the 'path' parameter in versions up to, and including 0.9.74. This makes it possible for authenticated attackers with administrative privileges to call files using a PHAR wrapper that will deserialize and call arbitrary PHP Objects that can be used to perform a variety of malicious actions granted a POP chain is also present. It also requires that the attacker is successful in uploading a file with the serialized payload. | |||||
| CVE-2023-49442 | 1 Jeecg | 1 Jeecg | 2024-01-10 | N/A | 9.8 CRITICAL |
| Deserialization of Untrusted Data in jeecgFormDemoController in JEECG 4.0 and earlier allows attackers to run arbitrary code via crafted POST request. | |||||
| CVE-2023-7032 | 2024-01-10 | N/A | N/A | ||
| A CWE-502: Deserialization of untrusted data vulnerability exists that could allow an attacker logged in with a user level account to gain higher privileges by providing a harmful serialized object. | |||||
| CVE-2023-51785 | 1 Apache | 1 Inlong | 2024-01-09 | N/A | 7.5 HIGH |
| Deserialization of Untrusted Data vulnerability in Apache InLong.This issue affects Apache InLong: from 1.7.0 through 1.9.0, the attackers can make a arbitrary file read attack using mysql driver. Users are advised to upgrade to Apache InLong's 1.10.0 or cherry-pick [1] to solve it. [1] https://github.com/apache/inlong/pull/9331 | |||||
| CVE-2019-12799 | 1 Shopware | 1 Shopware | 2024-01-09 | 6.5 MEDIUM | 8.8 HIGH |
| In createInstanceFromNamedArguments in Shopware through 5.6.x, a crafted web request can trigger a PHP object instantiation vulnerability, which can result in an arbitrary deserialization if the right class is instantiated. An attacker can leverage this deserialization to achieve remote code execution. NOTE: this issue is a bypass for a CVE-2017-18357 whitelist patch. | |||||
| CVE-2013-1465 | 1 Cubecart | 1 Cubecart | 2024-01-09 | 7.5 HIGH | 9.8 CRITICAL |
| The Cubecart::_basket method in classes/cubecart.class.php in CubeCart 5.0.0 through 5.2.0 allows remote attackers to unserialize arbitrary PHP objects via a crafted shipping parameter, as demonstrated by modifying the application configuration using the Config object. | |||||
| CVE-2015-8103 | 2 Jenkins, Redhat | 2 Jenkins, Openshift Container Platform | 2024-01-09 | 7.5 HIGH | 9.8 CRITICAL |
| The Jenkins CLI subsystem in Jenkins before 1.638 and LTS before 1.625.2 allows remote attackers to execute arbitrary code via a crafted serialized Java object, related to a problematic webapps/ROOT/WEB-INF/lib/commons-collections-*.jar file and the "Groovy variant in 'ysoserial'". | |||||
| CVE-2023-38203 | 1 Adobe | 1 Coldfusion | 2024-01-09 | N/A | 9.8 CRITICAL |
| Adobe ColdFusion versions 2018u17 (and earlier), 2021u7 (and earlier) and 2023u1 (and earlier) are affected by a Deserialization of Untrusted Data vulnerability that could result in Arbitrary code execution. Exploitation of this issue does not require user interaction. | |||||
| CVE-2023-29300 | 1 Adobe | 1 Coldfusion | 2024-01-09 | N/A | 9.8 CRITICAL |
| Adobe ColdFusion versions 2018u16 (and earlier), 2021u6 (and earlier) and 2023.0.0.330468 (and earlier) are affected by a Deserialization of Untrusted Data vulnerability that could result in Arbitrary code execution. Exploitation of this issue does not require user interaction. | |||||
| CVE-2023-49777 | 1 Yithemes | 1 Yith Woocommerce Product Add-ons | 2024-01-08 | N/A | 8.8 HIGH |
| Deserialization of Untrusted Data vulnerability in YITH YITH WooCommerce Product Add-Ons.This issue affects YITH WooCommerce Product Add-Ons: from n/a through 4.3.0. | |||||
| CVE-2018-8013 | 4 Apache, Canonical, Debian and 1 more | 21 Batik, Ubuntu Linux, Debian Linux and 18 more | 2024-01-07 | 7.5 HIGH | 9.8 CRITICAL |
| In Apache Batik 1.x before 1.10, when deserializing subclass of `AbstractDocument`, the class takes a string from the inputStream as the class name which then use it to call the no-arg constructor of the class. Fix was to check the class type before calling newInstance in deserialization. | |||||
| CVE-2023-52181 | 1 Presslabs | 1 Theme Per User | 2024-01-05 | N/A | 9.8 CRITICAL |
| Deserialization of Untrusted Data vulnerability in Presslabs Theme per user.This issue affects Theme per user: from n/a through 1.0.1. | |||||
| CVE-2023-52182 | 1 Ari-soft | 1 Ari Stream Quiz | 2024-01-05 | N/A | 8.8 HIGH |
| Deserialization of Untrusted Data vulnerability in ARI Soft ARI Stream Quiz – WordPress Quizzes Builder.This issue affects ARI Stream Quiz – WordPress Quizzes Builder: from n/a through 1.3.0. | |||||
| CVE-2023-51545 | 1 Themehigh | 1 Job Manager \& Career | 2024-01-05 | N/A | 8.8 HIGH |
| Cross-Site Request Forgery (CSRF), Deserialization of Untrusted Data vulnerability in ThemeHigh Job Manager & Career – Manage job board listings, and recruitments.This issue affects Job Manager & Career – Manage job board listings, and recruitments: from n/a through 1.4.4. | |||||
| CVE-2023-51505 | 1 Pluginus | 1 Active Products Tables For Woocommerce | 2024-01-05 | N/A | 9.8 CRITICAL |
| Deserialization of Untrusted Data vulnerability in realmag777 Active Products Tables for WooCommerce. Professional products tables for WooCommerce store.This issue affects Active Products Tables for WooCommerce. Professional products tables for WooCommerce store : from n/a through 1.0.6. | |||||
| CVE-2023-51414 | 1 Donweb | 1 Envialosimple\ | 2024-01-05 | N/A | 9.8 CRITICAL |
| Deserialization of Untrusted Data vulnerability in EnvialoSimple EnvíaloSimple: Email Marketing y Newsletters.This issue affects EnvíaloSimple: Email Marketing y Newsletters: from n/a through 2.1. | |||||
| CVE-2023-51470 | 1 Boiteasite | 1 Rencontre | 2024-01-05 | N/A | 8.8 HIGH |
| Deserialization of Untrusted Data vulnerability in Jacques Malgrange Rencontre – Dating Site.This issue affects Rencontre – Dating Site: from n/a through 3.11.1. | |||||
| CVE-2023-51422 | 1 Saleswonder | 1 Webinarignition | 2024-01-05 | N/A | 8.8 HIGH |
| Deserialization of Untrusted Data vulnerability in Saleswonder Team Webinar Plugin: Create live/evergreen/automated/instant webinars, stream & Zoom Meetings | WebinarIgnition.This issue affects Webinar Plugin: Create live/evergreen/automated/instant webinars, stream & Zoom Meetings | WebinarIgnition: from n/a through 3.05.0. | |||||
| CVE-2023-49773 | 1 Bcorp Shortcodes Project | 1 Bcorp Shortcodes | 2024-01-05 | N/A | 9.8 CRITICAL |
| Deserialization of Untrusted Data vulnerability in Tim Brattberg BCorp Shortcodes.This issue affects BCorp Shortcodes: from n/a through 0.23. | |||||
| CVE-2023-32513 | 1 Givewp | 1 Givewp | 2024-01-04 | N/A | 9.8 CRITICAL |
| Deserialization of Untrusted Data vulnerability in GiveWP GiveWP – Donation Plugin and Fundraising Platform.This issue affects GiveWP – Donation Plugin and Fundraising Platform: from n/a through 2.25.3. | |||||
| CVE-2023-32795 | 1 Woocommerce | 1 Product Addons | 2024-01-04 | N/A | 7.2 HIGH |
| Deserialization of Untrusted Data vulnerability in WooCommerce Product Add-Ons.This issue affects Product Add-Ons: from n/a through 6.1.3. | |||||
| CVE-2023-36381 | 1 Gesundheit-bewegt | 1 Zippy | 2024-01-04 | N/A | 8.8 HIGH |
| Deserialization of Untrusted Data vulnerability in Gesundheit Bewegt GmbH Zippy.This issue affects Zippy: from n/a through 1.6.5. | |||||
| CVE-2023-51700 | 1 Jamieblomerus | 1 Unofficial Mobile Bankid Integration | 2024-01-04 | N/A | 9.8 CRITICAL |
| Unofficial Mobile BankID Integration for WordPress lets users employ Mobile BankID to authenticate themselves on your WordPress site. Prior to 1.0.1, WP-Mobile-BankID-Integration is affected by a vulnerability classified as a Deserialization of Untrusted Data vulnerability, specifically impacting scenarios where an attacker can manipulate the database. If unauthorized actors gain access to the database, they could exploit this vulnerability to execute object injection attacks. This could lead to unauthorized code execution, data manipulation, or data exfiltration within the WordPress environment. Users of the plugin should upgrade to version 1.0.1 (or later), where the serialization and deserialization of OrderResponse objects have been switched out to an array stored as JSON. A possible workaround for users unable to upgrade immediately is to enforce stricter access controls on the database, ensuring that only trusted and authorized entities can modify data. Additionally, implementing monitoring tools to detect unusual database activities could help identify and mitigate potential exploitation attempts. | |||||
| CVE-2022-34268 | 1 Rws | 1 Worldserver | 2024-01-03 | N/A | 9.8 CRITICAL |
| An issue was discovered in RWS WorldServer before 11.7.3. /clientLogin deserializes Java objects without authentication, leading to command execution on the host. | |||||
| CVE-2023-51656 | 1 Apache | 1 Iotdb | 2024-01-02 | N/A | 9.8 CRITICAL |
| Deserialization of Untrusted Data vulnerability in Apache IoTDB.This issue affects Apache IoTDB: from 0.13.0 through 0.13.4. Users are recommended to upgrade to version 1.2.2, which fixes the issue. | |||||
| CVE-2023-49819 | 1 Wpsc-plugin | 1 Structured Content | 2024-01-02 | N/A | 9.8 CRITICAL |
| Deserialization of Untrusted Data vulnerability in Gordon Böhme, Antonio Leutsch Structured Content (JSON-LD) #wpsc.This issue affects Structured Content (JSON-LD) #wpsc: from n/a through 1.5.3. | |||||
| CVE-2023-7018 | 1 Huggingface | 1 Transformers | 2023-12-30 | N/A | 7.8 HIGH |
| Deserialization of Untrusted Data in GitHub repository huggingface/transformers prior to 4.36. | |||||
| CVE-2020-17144 | 1 Microsoft | 1 Exchange Server | 2023-12-30 | 6.0 MEDIUM | 8.4 HIGH |
| Microsoft Exchange Remote Code Execution Vulnerability | |||||
| CVE-2021-26857 | 1 Microsoft | 1 Exchange Server | 2023-12-29 | 6.8 MEDIUM | 7.8 HIGH |
| Microsoft Exchange Server Remote Code Execution Vulnerability | |||||
| CVE-2021-24066 | 1 Microsoft | 3 Sharepoint Enterprise Server, Sharepoint Foundation, Sharepoint Server | 2023-12-29 | 6.5 MEDIUM | 8.8 HIGH |
| Microsoft SharePoint Remote Code Execution Vulnerability | |||||
| CVE-2023-49772 | 1 Phpbits | 1 Genesis Simple Love | 2023-12-29 | N/A | 9.8 CRITICAL |
| Deserialization of Untrusted Data vulnerability in Phpbits Creative Studio Genesis Simple Love.This issue affects Genesis Simple Love: from n/a through 2.0. | |||||
| CVE-2023-49778 | 1 Dmry | 1 Sayfa Sayac | 2023-12-29 | N/A | 9.8 CRITICAL |
| Deserialization of Untrusted Data vulnerability in Hakan Demiray Sayfa Sayac.This issue affects Sayfa Sayac: from n/a through 2.6. | |||||
| CVE-2023-32242 | 1 Xtemos | 1 Woodmart | 2023-12-29 | N/A | 9.8 CRITICAL |
| Deserialization of Untrusted Data vulnerability in xtemos WoodMart - Multipurpose WooCommerce Theme.This issue affects WoodMart - Multipurpose WooCommerce Theme: from n/a through 1.0.36. | |||||
| CVE-2023-49826 | 1 Pencidesign | 1 Soledad | 2023-12-29 | N/A | 9.8 CRITICAL |
| Deserialization of Untrusted Data vulnerability in PenciDesign Soledad – Multipurpose, Newspaper, Blog & WooCommerce WordPress Theme.This issue affects Soledad – Multipurpose, Newspaper, Blog & WooCommerce WordPress Theme: from n/a through 8.4.1. | |||||
| CVE-2021-34520 | 1 Microsoft | 2 Sharepoint Foundation, Sharepoint Server | 2023-12-28 | 6.5 MEDIUM | 8.1 HIGH |
| Microsoft SharePoint Server Remote Code Execution Vulnerability | |||||
| CVE-2023-28782 | 1 Gravityforms | 1 Gravity Forms | 2023-12-28 | N/A | 9.8 CRITICAL |
| Deserialization of Untrusted Data vulnerability in Rocketgenius Inc. Gravity Forms.This issue affects Gravity Forms: from n/a through 2.7.3. | |||||