CWE:
 

Topic
Date
Author
High
OpenMRS Platform Insecure Object Deserialization
05.02.2019
Bishop Fox
Med.
Revive Adserver 4.0.0 XSS / Deserialization / Session Fixation
01.02.2017
Matteo Beccati
High
Solarwinds Virtualization Manager 6.3.1 Java Deserialization
17.06.2016
Nate Kettlewell


CVEMAP Search Results

CVE
Details
Description
2019-02-04
Medium
CVE-2019-1000005

Vendor: Mpdf project
Software: MPDF
 

 
mPDF version 7.1.7 and earlier contains a CWE-502: Deserialization of Untrusted Data vulnerability in getImage() method of Image/ImageProcessor class that can result in Arbitry code execution, file write, etc.. This attack appears to be exploitable via attacker must host crafted image on victim server and trigger generation of pdf file with content <img src="phar://path/to/crafted/image">. This vulnerability appears to have been fixed in 7.1.8.

 
2019-01-22
Medium
CVE-2019-6503

Vendor: Chatopera
Software: Cosin
 

 
There is a deserialization vulnerability in Chatopera cosin v3.10.0. An attacker can execute commands during server-side deserialization by uploading maliciously constructed files. This is related to the TemplateController.java impsave method and the MainUtils toObject method.

 
2019-01-16
Medium
CVE-2018-20732

Vendor: SAS
Software: Web infrastr...
 

 
SAS Web Infrastructure Platform before 9.4M6 allows remote attackers to execute arbitrary code via a Java deserialization variant.

 
Medium
CVE-2019-6446

Vendor: Numpy
Software: Numpy
 

 
An issue was discovered in NumPy 1.16.0 and earlier. It uses the pickle Python module unsafely, which allows remote attackers to execute arbitrary code via a crafted serialized object, as demonstrated by a numpy.load call.

 
2019-01-09
Medium
CVE-2018-6162

Vendor: Google
Software: Chrome
 

 
Improper deserialization in WebGL in Google Chrome on Mac prior to 68.0.3440.75 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

 
2019-01-02
Medium
CVE-2018-14718

Vendor: Fasterxml
Software: Jackson-databind
 

 
FasterXML jackson-databind 2.x before 2.9.7 might allow remote attackers to execute arbitrary code by leveraging failure to block the slf4j-ext class from polymorphic deserialization.

 
Medium
CVE-2018-14719

Vendor: Fasterxml
Software: Jackson-databind
 

 
FasterXML jackson-databind 2.x before 2.9.7 might allow remote attackers to execute arbitrary code by leveraging failure to block the blaze-ds-opt and blaze-ds-core classes from polymorphic deserialization.

 
Medium
CVE-2018-19360

Vendor: Fasterxml
Software: Jackson-databind
 

 
FasterXML jackson-databind 2.x before 2.9.8 might allow attackers to have unspecified impact by leveraging failure to block the axis2-transport-jms class from polymorphic deserialization.

 
Medium
CVE-2018-19361

Vendor: Fasterxml
Software: Jackson-databind
 

 
FasterXML jackson-databind 2.x before 2.9.8 might allow attackers to have unspecified impact by leveraging failure to block the openjpa class from polymorphic deserialization.

 
Medium
CVE-2018-19362

Vendor: Fasterxml
Software: Jackson-databind
 

 
FasterXML jackson-databind 2.x before 2.9.8 might allow attackers to have unspecified impact by leveraging failure to block the jboss-common-core class from polymorphic deserialization.

 

 


Copyright 2019, cxsecurity.com

 

Back to Top