CWE:
 

Topic
Date
Author
High
Protection Licensing Toolkit ReadyAPI 3.2.5 Code Execution / Deserialization
20.05.2020
Moritz Bechler
Med.
ManageEngine Desktop Central FileStorage getChartImage Deserialization / Unauthenticated Remote Code Execution
08.03.2020
Mr_me
Med.
Revive Adserver Deserialization / Open Redirect
02.05.2019
Matteo Beccati
High
OpenMRS Platform Insecure Object Deserialization
05.02.2019
Bishop Fox
Med.
Revive Adserver 4.0.0 XSS / Deserialization / Session Fixation
01.02.2017
Matteo Beccati
High
Solarwinds Virtualization Manager 6.3.1 Java Deserialization
17.06.2016
Nate Kettlewell


CVEMAP Search Results

CVE
Details
Description
2021-02-18
Medium
CVE-2021-27335

Vendor: Kollectapp
Software: Kollect
 

 
KollectApps before 4.8.16c is affected by insecure Java deserialization, leading to Remote Code Execution via a ysoserial.payloads.CommonsCollections parameter.

 
2021-02-17
Medium
CVE-2021-22855

Vendor: Hr portal project
Software: Hr portal
 

 
The specific function of HR Portal of Soar Cloud System accepts any type of object to be deserialized. Attackers can send malicious serialized objects to execute arbitrary commands.

 
2021-02-14
Medium
CVE-2021-27213

Vendor: Pystemon project
Software: Pystemon
 

 
config.py in pystemon before 2021-02-13 allows code execution via YAML deserialization because SafeLoader and safe_load are not used.

 
2021-02-12
High
CVE-2020-27868

Vendor: Qognify
Software: Ocularis
 

 
This vulnerability allows remote attackers to execute arbitrary code on affected installations of Qognify Ocularis 5.9.0.395. Authentication is not required to exploit this vulnerability. The specific flaw exists within the handling of serialized objects provided to the EventCoordinator endpoint. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code in the context of SYSTEM. Was ZDI-CAN-11257.

 
2021-02-08
High
CVE-2021-26913

Vendor: Netmotionsoftware
Software: Netmotion mo...
 

 
NetMotion Mobility before 11.73 and 12.x before 12.02 allows unauthenticated remote attackers to execute arbitrary code as SYSTEM because of Java deserialization in RpcServlet.

 
High
CVE-2021-26915

Vendor: Netmotionsoftware
Software: Netmotion mo...
 

 
NetMotion Mobility before 11.73 and 12.x before 12.02 allows unauthenticated remote attackers to execute arbitrary code as SYSTEM because of Java deserialization in webrepdb StatusServlet.

 
High
CVE-2021-26914

Vendor: Netmotionsoftware
Software: Netmotion mo...
 

 
NetMotion Mobility before 11.73 and 12.x before 12.02 allows unauthenticated remote attackers to execute arbitrary code as SYSTEM because of Java deserialization in MvcUtil valueStringToObject.

 
High
CVE-2021-26912

Vendor: Netmotionsoftware
Software: Netmotion mo...
 

 
NetMotion Mobility before 11.73 and 12.x before 12.02 allows unauthenticated remote attackers to execute arbitrary code as SYSTEM because of Java deserialization in SupportRpcServlet.

 
2021-02-03
Medium
CVE-2021-25758

Vendor: Jetbrains
Software: Intellij idea
 

 
In JetBrains IntelliJ IDEA before 2020.3, potentially insecure deserialization of the workspace model could lead to code execution.

 
High
CVE-2021-25274

Vendor: Solarwinds
Software: Orion platform
 

 
The Collector Service in SolarWinds Orion Platform before 2020.2.4 uses MSMQ (Microsoft Message Queue) and doesn't set permissions on its private queues. As a result, remote unauthenticated clients can send messages to TCP port 1801 that the Collector Service will process. Additionally, upon processing of such messages, the service deserializes them in insecure manner, allowing remote arbitrary code execution as LocalSystem.

 

 


Copyright 2021, cxsecurity.com

 

Back to Top