CWE:
 

Topic
Date
Author
Low
SAP Wily Introscope Enterprise OS Command Injection
19.06.2021
Yvan Genuer
High
Protection Licensing Toolkit ReadyAPI 3.2.5 Code Execution / Deserialization
20.05.2020
Moritz Bechler
Med.
ManageEngine Desktop Central FileStorage getChartImage Deserialization / Unauthenticated Remote Code Execution
08.03.2020
Mr_me
Med.
Revive Adserver Deserialization / Open Redirect
02.05.2019
Matteo Beccati
High
OpenMRS Platform Insecure Object Deserialization
05.02.2019
Bishop Fox
Med.
Revive Adserver 4.0.0 XSS / Deserialization / Session Fixation
01.02.2017
Matteo Beccati
High
Solarwinds Virtualization Manager 6.3.1 Java Deserialization
17.06.2016
Nate Kettlewell


CVEMAP Search Results

CVE
Details
Description
2022-05-23
Waiting for details
CVE-2021-32935

Updating...
 

 
The affected Cognex product, the In-Sight OPC Server versions v5.7.4 (96) and prior, deserializes untrusted data, which could allow a remote attacker access to system level permission commands and local privilege escalation.

 
2022-05-17
Waiting for details
CVE-2022-1118

Updating...
 

 
Connected Components Workbench (v13.00.00 and prior), ISaGRAF Workbench (v6.0 though v6.6.9), and Safety Instrumented System Workstation (v1.2 and prior (for Trusted Controllers)) do not limit the objects that can be deserialized. This allows attackers to craft a malicious serialized object that, if opened by a local user in Connected Components Workbench, may result in arbitrary code execution. This vulnerability requires user interaction to be successfully exploited

 
2022-05-10
Medium
CVE-2022-1463

Vendor: Booking calendar project
Software: Booking calendar
 

 
The Booking Calendar plugin for WordPress is vulnerable to PHP Object Injection via the [bookingflextimeline] shortcode in versions up to, and including, 9.1. This could be exploited by subscriber-level users and above to call arbitrary PHP objects on a vulnerable site.

 
2022-04-20
Medium
CVE-2022-29528

Vendor: MISP
Software: MISP
 

 
An issue was discovered in MISP before 2.4.158. PHAR deserialization can occur.

 
Medium
CVE-2022-26133

Vendor: Atlassian
Software: Bitbucket da...
 

 
SharedSecretClusterAuthenticator in Atlassian Bitbucket Data Center versions 5.14.0 and later before 7.6.14, 7.7.0 and later prior to 7.17.6, 7.18.0 and later prior to 7.18.4, 7.19.0 and later prior to 7.19.4, and 7.20.0 allow a remote, unauthenticated attacker to execute arbitrary code via Java deserialization.

 
2022-04-15
Medium
CVE-2022-27158

Vendor: PHP
Software: Pearweb
 

 
pearweb < 1.32 suffers from Deserialization of Untrusted Data.

 
2022-04-14
Medium
CVE-2022-24846

Vendor: Geoserver
Software: Geowebcache
 

 
GeoWebCache is a tile caching server implemented in Java. The GeoWebCache disk quota mechanism can perform an unchecked JNDI lookup, which in turn can be used to perform class deserialization and result in arbitrary code execution. While in GeoWebCache the JNDI strings are provided via local configuration file, in GeoServer a user interface is provided to perform the same, that can be accessed remotely, and requires admin-level login to be used. These lookup are unrestricted in scope and can lead to code execution. The lookups are going to be restricted in GeoWebCache 1.21.0, 1.20.2, 1.19.3.

 
High
CVE-2021-21956

Vendor: Cloudlinux
Software: Imunify360
 

 
A php unserialize vulnerability exists in the Ai-Bolit functionality of CloudLinux Inc Imunify360 5.10.2. A specially-crafted malformed file can lead to potential arbitrary command execution. An attacker can provide a malicious file to trigger this vulnerability.

 
2022-04-13
High
CVE-2019-6834

Vendor: Schneider-electric
Software: Software update
 

 
A CWE-502: Deserialization of Untrusted Data vulnerability exists which could allow an attacker to execute arbitrary code on the targeted system with SYSTEM privileges when placing a malicious user to be authenticated for this vulnerability to be successfully exploited. Affected Product: Schneider Electric Software Update (SESU) SUT Service component (V2.1.1 to V2.3.0)

 
Medium
CVE-2022-22957

Updating...
 

 
VMware Workspace ONE Access, Identity Manager and vRealize Automation contain two remote code execution vulnerabilities (CVE-2022-22957 & CVE-2022-22958). A malicious actor with administrative access can trigger deserialization of untrusted data through malicious JDBC URI which may result in remote code execution.

 

 


Copyright 2022, cxsecurity.com

 

Back to Top