CWE:
 

Topic
Date
Author
High
Protection Licensing Toolkit ReadyAPI 3.2.5 Code Execution / Deserialization
20.05.2020
Moritz Bechler
Med.
ManageEngine Desktop Central FileStorage getChartImage Deserialization / Unauthenticated Remote Code Execution
08.03.2020
Mr_me
Med.
Revive Adserver Deserialization / Open Redirect
02.05.2019
Matteo Beccati
High
OpenMRS Platform Insecure Object Deserialization
05.02.2019
Bishop Fox
Med.
Revive Adserver 4.0.0 XSS / Deserialization / Session Fixation
01.02.2017
Matteo Beccati
High
Solarwinds Virtualization Manager 6.3.1 Java Deserialization
17.06.2016
Nate Kettlewell


CVEMAP Search Results

CVE
Details
Description
2020-06-21
Medium
CVE-2020-14942

Vendor: Tendenci
Software: Tendenci
 

 
Tendenci 12.0.10 allows unrestricted deserialization in apps\helpdesk\views\staff.py.

 
2020-06-20
Medium
CVE-2020-14933

Vendor: Squirrelmail
Software: Squirrelmail
 

 
compose.php in SquirrelMail 1.4.22 calls unserialize for the $attachments value, which originates from an HTTP POST request.

 
Medium
CVE-2020-14932

Vendor: Squirrelmail
Software: Squirrelmail
 

 
compose.php in SquirrelMail 1.4.22 calls unserialize for the $mailtodata value, which originates from an HTTP GET request. This is related to mailto.php.

 
2020-06-19
Medium
CVE-2020-8165

Vendor: Rubyonrails
Software: Rails
 

 
A deserialization of untrusted data vulnernerability exists in rails < 5.2.5, rails < 6.0.4 that can allow an attacker to unmarshal user-provided objects in MemCacheStore and RedisCacheStore potentially resulting in an RCE.

 
Medium
CVE-2020-8164

Vendor: Rubyonrails
Software: Rails
 

 
A deserialization of untrusted data vulnerability exists in rails < 5.2.4.3, rails < 6.0.3.1 which can allow an attacker to supply information can be inadvertently leaked fromStrong Parameters.

 
2020-06-14
Medium
CVE-2020-14060

Vendor: Fasterxml
Software: Jackson-databind
 

 
FasterXML jackson-databind 2.x before 2.9.10.5 mishandles the interaction between serialization gadgets and typing, related to oadd.org.apache.xalan.lib.sql.JNDIConnectionPool (aka apache/drill).

 
Medium
CVE-2020-14061

Vendor: Fasterxml
Software: Jackson-databind
 

 
FasterXML jackson-databind 2.x before 2.9.10.5 mishandles the interaction between serialization gadgets and typing, related to oracle.jms.AQjmsQueueConnectionFactory, oracle.jms.AQjmsXATopicConnectionFactory, oracle.jms.AQjmsTopicConnectionFactory, oracle.jms.AQjmsXAQueueConnectionFactory, and oracle.jms.AQjmsXAConnectionFactory (aka weblogic/oracle-aqjms).

 
Medium
CVE-2020-14062

Vendor: Fasterxml
Software: Jackson-databind
 

 
FasterXML jackson-databind 2.x before 2.9.10.5 mishandles the interaction between serialization gadgets and typing, related to com.sun.org.apache.xalan.internal.lib.sql.JNDIConnectionPool (aka xalan2).

 
2020-06-11
Low
CVE-2020-0132

Vendor: Google
Software: Android
 

 
In BnAAudioService::onTransact of IAAudioService.cpp, there is a possible out of bounds read due to unsafe deserialization. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-10Android ID: A-139473816

 
2020-06-10
Waiting for details
CVE-2020-4043

Updating...
 

 
phpMussel from versions 1.0.0 and less than 1.6.0 has an unserialization vulnerability in PHP's phar wrapper. Uploading a specially crafted file to an affected version allows arbitrary code execution (discovered, tested, and confirmed by myself), so the risk factor should be regarded as very high. Newer phpMussel versions don't use PHP's phar wrapper, and are therefore unaffected. This has been fixed in version 1.6.0.

 

 


Copyright 2020, cxsecurity.com

 

Back to Top