CWE:

	Topic	Date	Author
Med.	OX App Suite 7.10.6 Cross Site Scripting / Deserialization Issue	11.04.2024	Martin Heiland
Med.	Artica Proxy 4.50 Unauthenticated PHP Deserialization	09.03.2024	Jaggar Henry
Med.	WordPress BeTheme 26.5.1.4 PHP Object Injection	22.11.2022	Julien Ahrens
High	TIBCO JasperReports Server 8.0.2 Community Edition Code Execution	13.09.2022	Moritz Bechler
Low	SAP Wily Introscope Enterprise OS Command Injection	19.06.2021	Yvan Genuer
High	Protection Licensing Toolkit ReadyAPI 3.2.5 Code Execution / Deserialization	20.05.2020	Moritz Bechler
Med.	ManageEngine Desktop Central FileStorage getChartImage Deserialization / Unauthenticated Remote Code Execution	08.03.2020	Mr_me
Med.	Revive Adserver Deserialization / Open Redirect	02.05.2019	Matteo Beccati
High	OpenMRS Platform Insecure Object Deserialization	05.02.2019	Bishop Fox
Med.	Revive Adserver 4.0.0 XSS / Deserialization / Session Fixation	01.02.2017	Matteo Beccati
High	Solarwinds Virtualization Manager 6.3.1 Java Deserialization	17.06.2016	Nate Kettlewell

---

CVEMAP Search Results

CVE

Details

Description

2024-07-24

CVE-2024-7067

Updating...

A vulnerability was found in kirilkirkov Ecommerce-Laravel-Bootstrap up to 1f1097a3448ce8ec53e034ea0f70b8e2a0e64a87. It has been rated as critical. Affected by this issue is the function getCartProductsIds of the file app/Cart.php. The manipulation of the argument laraCart leads to deserialization. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. This product is using a rolling release to provide continious delivery. Therefore, no version details for affected nor updated releases are available. The name of the patch is a02111a674ab49f65018b31da3011b1e396f59b1. It is recommended to apply a patch to fix this issue. The identifier of this vulnerability is VDB-272348.

2024-07-22

CVE-2024-38759

Updating...

Deserialization of Untrusted Data vulnerability in WP MEDIA SAS Search & Replace.This issue affects Search & Replace: from n/a through 3.2.2.

2024-07-21

	CVE-2024-6943	Updating...	A vulnerability has been found in ZhongBangKeJi CRMEB up to 5.4.0 and classified as critical. Affected by this vulnerability is the function downloadImage of the file app/services/product/product/CopyTaobaoServices.php. The manipulation leads to deserialization. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-272065 was assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.
	CVE-2024-6944	Updating...	A vulnerability was found in ZhongBangKeJi CRMEB up to 5.4.0 and classified as critical. Affected by this issue is the function get_image_base64 of the file PublicController.php. The manipulation of the argument file leads to deserialization. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. VDB-272066 is the identifier assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.

2024-07-17

CVE-2024-28074

Updating...

It was discovered that a previous vulnerability was not completely fixed with SolarWinds Access Rights Manager. While some controls were implemented the researcher was able to bypass these and use a different method to exploit the vulnerability.

2024-07-15

	CVE-2023-46801	Updating...	In Apache Linkis <= 1.5.0, data source management module, when adding Mysql data source, exists remote code execution vulnerability for java version < 1.8.0_241. The deserialization vulnerability exploited through jrmp can inject malicious files into the server and execute them. This attack requires the attacker to obtain an authorized account from Linkis before it can be carried out.  We recommend that users upgrade the java version to >= 1.8.0_241. Or users upgrade Linkis to version 1.6.0.
	CVE-2023-49566	Updating...	In Apache Linkis <=1.5.0, due to the lack of effective filtering of parameters, an attacker configuring malicious db2 parameters in the DataSource Manager Module will result in jndi injection. Therefore, the parameters in the DB2 URL should be blacklisted.  This attack requires the attacker to obtain an authorized account from Linkis before it can be carried out. Versions of Apache Linkis <=1.5.0 will be affected. We recommend users upgrade the version of Linkis to version 1.6.0.

2024-07-10

	CVE-2024-6644	Updating...	A vulnerability was found in zmops ArgusDBM up to 0.1.0. It has been classified as critical. Affected is the function getDefaultClassLoader of the file CalculateAlarm.java of the component AviatorScript Handler. The manipulation leads to deserialization. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. VDB-271050 is the identifier assigned to this vulnerability.
	CVE-2024-6645	Updating...	A vulnerability was found in WuKongOpenSource Wukong_nocode up to 20230807. It has been declared as critical. Affected by this vulnerability is an unknown functionality of the file ExpressionUtil.java of the component AviatorScript Handler. The manipulation leads to deserialization. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. This product does not use versioning. This is why information about affected and unaffected releases are unavailable. The associated identifier of this vulnerability is VDB-271051.

2024-07-09

CVE-2023-32737

Updating...

A vulnerability has been identified in SIMATIC STEP 7 Safety V18 (All versions < V18 Update 2). Affected applications do not properly restrict the .NET BinaryFormatter when deserializing user-controllable input. This could allow an attacker to cause a type confusion and execute arbitrary code within the affected application. This is the same issue that exists for .NET BinaryFormatter https://docs.microsoft.com/en-us/visualstudio/code-quality/ca2300.

 

---

Copyright 2024, cxsecurity.com