Total
1399 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2018-9474 | 2024-11-20 | N/A | 8.4 HIGH | ||
| In writeToParcel of MediaPlayer.java, there is a possible serialization/deserialization mismatch due to improper input validation. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. | |||||
| CVE-2024-10382 | 2024-11-20 | N/A | 7.5 HIGH | ||
| There exists a code execution vulnerability in the Car App Android Jetpack Library. In the CarAppService desrialization logic is used that allows for arbitrary java classes to be constructed. In combination with other gadgets, this can lead to arbitrary code execution. An attacker needs to have an app on a victims Android device that uses the CarAppService Class and the victim would need to install a malicious app alongside it. We recommend upgrading the library past version 1.7.0-beta02 | |||||
| CVE-2024-52430 | 1 Lis | 1 Video Gallery | 2024-11-20 | N/A | 9.8 CRITICAL |
| Deserialization of Untrusted Data vulnerability in Lis Lis Video Gallery allows Object Injection.This issue affects Lis Video Gallery: from n/a through 0.2.1. | |||||
| CVE-2024-52432 | 1 Nixsolutions | 1 Nix Anti-spam Light | 2024-11-20 | N/A | 9.8 CRITICAL |
| Deserialization of Untrusted Data vulnerability in NIX Solutions Ltd NIX Anti-Spam Light allows Object Injection.This issue affects NIX Anti-Spam Light: from n/a through 0.0.4. | |||||
| CVE-2024-52433 | 1 Mindstien | 1 My Geo Posts Free | 2024-11-20 | N/A | 9.8 CRITICAL |
| Deserialization of Untrusted Data vulnerability in Mindstien Technologies My Geo Posts Free allows Object Injection.This issue affects My Geo Posts Free: from n/a through 1.2. | |||||
| CVE-2024-10913 | 2024-11-20 | N/A | 8.8 HIGH | ||
| The Clone plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 2.4.6 via deserialization of untrusted input in the 'recursive_unserialized_replace' function. This makes it possible for unauthenticated attackers to inject a PHP Object. No known POP chain is present in the vulnerable software. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code. | |||||
| CVE-2024-52445 | 2024-11-20 | N/A | 8.8 HIGH | ||
| Deserialization of Untrusted Data vulnerability in Modeltheme QRMenu Restaurant QR Menu Lite allows Object Injection.This issue affects QRMenu Restaurant QR Menu Lite: from n/a through 1.0.3. | |||||
| CVE-2024-52443 | 2024-11-20 | N/A | 9.8 CRITICAL | ||
| Deserialization of Untrusted Data vulnerability in Nerijus Masikonis Geolocator allows Object Injection.This issue affects Geolocator: from n/a through 1.1. | |||||
| CVE-2024-52440 | 2024-11-20 | N/A | 9.8 CRITICAL | ||
| Deserialization of Untrusted Data vulnerability in Bueno Labs Pvt. Ltd. Xpresslane Fast Checkout allows Object Injection.This issue affects Xpresslane Fast Checkout: from n/a through 1.0.0. | |||||
| CVE-2024-52439 | 2024-11-20 | N/A | 9.8 CRITICAL | ||
| Deserialization of Untrusted Data vulnerability in Mark O’Donnell Team Rosters allows Object Injection.This issue affects Team Rosters: from n/a through 4.6. | |||||
| CVE-2024-10828 | 1 Algolplus | 1 Advanced Order Export For Woocommerce | 2024-11-19 | N/A | 9.8 CRITICAL |
| The Advanced Order Export For WooCommerce plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 3.5.5 via deserialization of untrusted input during Order export when the "Try to convert serialized values" option is enabled. This makes it possible for unauthenticated attackers to inject a PHP Object. The additional presence of a POP chain allows attackers to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php). | |||||
| CVE-2021-3838 | 1 Dompdf Project | 1 Dompdf | 2024-11-19 | N/A | 9.8 CRITICAL |
| DomPDF before version 2.0.0 is vulnerable to PHAR deserialization due to a lack of checking on the protocol before passing it into the file_get_contents() function. An attacker who can upload files of any type to the server can pass in the phar:// protocol to unserialize the uploaded file and instantiate arbitrary PHP objects. This can lead to remote code execution, especially when DOMPdf is used with frameworks with documented POP chains like Laravel or vulnerable developer code. | |||||
| CVE-2024-52306 | 1 Backpackforlaravel | 1 Filemanager | 2024-11-19 | N/A | 9.8 CRITICAL |
| FileManager provides a Backpack admin interface for files and folder. Prior to 3.0.9, deserialization of untrusted data from the mimes parameter could lead to remote code execution. This vulnerability is fixed in 3.0.9. | |||||
| CVE-2024-52410 | 2024-11-18 | N/A | 9.8 CRITICAL | ||
| Deserialization of Untrusted Data vulnerability in Phoenixheart Referrer Detector allows Object Injection.This issue affects Referrer Detector: from n/a through 4.2.1.0. | |||||
| CVE-2024-52414 | 2024-11-18 | N/A | 9.8 CRITICAL | ||
| Deserialization of Untrusted Data vulnerability in Anthony Carbon WDES Responsive Mobile Menu allows Object Injection.This issue affects WDES Responsive Mobile Menu: from n/a through 5.3.18. | |||||
| CVE-2024-52413 | 2024-11-18 | N/A | 9.8 CRITICAL | ||
| Deserialization of Untrusted Data vulnerability in DMC Airin Blog allows Object Injection.This issue affects Airin Blog: from n/a through 1.6.1. | |||||
| CVE-2024-52411 | 2024-11-18 | N/A | 9.8 CRITICAL | ||
| Deserialization of Untrusted Data vulnerability in Flowcraft UX Design Studio Advanced Personalization allows Object Injection.This issue affects Advanced Personalization: from n/a through 1.1.2. | |||||
| CVE-2024-52412 | 2024-11-18 | N/A | 9.8 CRITICAL | ||
| Deserialization of Untrusted Data vulnerability in Stephen Cui Xin allows Object Injection.This issue affects Xin: from n/a through 1.0.8.1. | |||||
| CVE-2024-52409 | 2024-11-18 | N/A | 9.8 CRITICAL | ||
| Deserialization of Untrusted Data vulnerability in Phan An AJAX Random Posts allows Object Injection.This issue affects AJAX Random Posts: from n/a through 0.3.3. | |||||
| CVE-2024-41151 | 2024-11-18 | N/A | 8.8 HIGH | ||
| Deserialization of Untrusted Data vulnerability in Apache HertzBeat. This vulnerability can only be exploited by authorized attackers. This issue affects Apache HertzBeat: before 1.6.1. Users are recommended to upgrade to version 1.6.1, which fixes the issue. | |||||