Total
1399 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2024-10456 | 2024-11-01 | N/A | 9.8 CRITICAL | ||
| Delta Electronics InfraSuite Device Master versions prior to 1.0.12 are affected by a deserialization vulnerability that targets the Device-Gateway, which could allow deserialization of arbitrary .NET objects prior to authentication. | |||||
| CVE-2024-50507 | 2024-11-01 | N/A | 9.8 CRITICAL | ||
| Deserialization of Untrusted Data vulnerability in Daniel Schmitzer DS.DownloadList allows Object Injection.This issue affects DS.DownloadList: from n/a through 1.3. | |||||
| CVE-2024-43383 | 2024-11-01 | N/A | 8.0 HIGH | ||
| Deserialization of Untrusted Data vulnerability in Apache Lucene.Net.Replicator. This issue affects Apache Lucene.NET's Replicator library: from 4.8.0-beta00005 through 4.8.0-beta00016. An attacker that can intercept traffic between a replication client and server, or control the target replication node URL, can provide a specially-crafted JSON response that is deserialized as an attacker-provided exception type. This can result in remote code execution or other potential unauthorized access. Users are recommended to upgrade to version 4.8.0-beta00017, which fixes the issue. | |||||
| CVE-2021-4451 | 1 Nintechnet | 1 Ninjafirewall | 2024-10-30 | N/A | 7.2 HIGH |
| The NinjaFirewall plugin for WordPress is vulnerable to Authenticated PHAR Deserialization in versions up to, and including, 4.3.3. This allows authenticated attackers to perform phar deserialization on the server. This deserialization can allow other plugin or theme exploits if vulnerable software is present (WordPress, and NinjaFirewall). | |||||
| CVE-2024-50416 | 1 Wpclever | 1 Wpc Shop As A Customer For Woocommerce | 2024-10-29 | N/A | 8.8 HIGH |
| Deserialization of Untrusted Data vulnerability in WPClever WPC Shop as a Customer for WooCommerce allows Object Injection.This issue affects WPC Shop as a Customer for WooCommerce: from n/a through 1.2.6. | |||||
| CVE-2024-50408 | 1 Kibokolabs | 1 Namaste\! Lms | 2024-10-29 | N/A | 8.8 HIGH |
| Deserialization of Untrusted Data vulnerability in Kiboko Labs Namaste! LMS allows Object Injection.This issue affects Namaste! LMS: from n/a through 2.6.3. | |||||
| CVE-2024-49684 | 2024-10-25 | N/A | 7.2 HIGH | ||
| Deserialization of Untrusted Data vulnerability in Revmakx Backup and Staging by WP Time Capsule allows Object Injection.This issue affects Backup and Staging by WP Time Capsule: from n/a through 1.22.21. | |||||
| CVE-2024-49332 | 1 Giveawayboost | 1 Giveaway Boost | 2024-10-24 | N/A | 9.8 CRITICAL |
| Deserialization of Untrusted Data vulnerability in Giveaway Boost allows Object Injection.This issue affects Giveaway Boost: from n/a through 2.1.4. | |||||
| CVE-2024-49625 | 1 Brandonclark | 1 Sitebuilder Dynamic Components | 2024-10-24 | N/A | 9.8 CRITICAL |
| Deserialization of Untrusted Data vulnerability in Brandon Clark SiteBuilder Dynamic Components allows Object Injection.This issue affects SiteBuilder Dynamic Components: from n/a through 1.0. | |||||
| CVE-2024-49624 | 1 Smartdevth | 1 Advanced Advertising System | 2024-10-24 | N/A | 9.8 CRITICAL |
| Deserialization of Untrusted Data vulnerability in Smartdevth Advanced Advertising System allows Object Injection.This issue affects Advanced Advertising System: from n/a through 1.3.1. | |||||
| CVE-2024-49626 | 1 Piyushmca | 1 Shipyaari Shipping Management | 2024-10-23 | N/A | 9.8 CRITICAL |
| Deserialization of Untrusted Data vulnerability in Piyushmca Shipyaari Shipping Management allows Object Injection.This issue affects Shipyaari Shipping Management: from n/a through 1.2. | |||||
| CVE-2023-27296 | 1 Apache | 1 Inlong | 2024-10-23 | N/A | 8.8 HIGH |
| Deserialization of Untrusted Data vulnerability in Apache Software Foundation Apache InLong. It could be triggered by authenticated users of InLong, you could refer to [1] to know more about this vulnerability. This issue affects Apache InLong: from 1.1.0 through 1.5.0. Users are advised to upgrade to Apache InLong's latest version or cherry-pick [2] to solve it. [1] https://programmer.help/blogs/jdbc-deserialization-vulnerability-learning.html https://programmer.help/blogs/jdbc-deserialization-vulnerability-learning.html [2] https://github.com/apache/inlong/pull/7422 https://github.com/apache/inlong/pull/7422 | |||||
| CVE-2023-26464 | 1 Apache | 1 Log4j | 2024-10-23 | N/A | 7.5 HIGH |
| ** UNSUPPORTED WHEN ASSIGNED ** When using the Chainsaw or SocketAppender components with Log4j 1.x on JRE less than 1.7, an attacker that manages to cause a logging entry involving a specially-crafted (ie, deeply nested) hashmap or hashtable (depending on which logging component is in use) to be processed could exhaust the available memory in the virtual machine and achieve Denial of Service when the object is deserialized. This issue affects Apache Log4j before 2. Affected users are recommended to update to Log4j 2.x. NOTE: This vulnerability only affects products that are no longer supported by the maintainer. | |||||
| CVE-2024-38094 | 1 Microsoft | 1 Sharepoint Server | 2024-10-23 | N/A | 7.2 HIGH |
| Microsoft SharePoint Remote Code Execution Vulnerability | |||||
| CVE-2023-29216 | 1 Apache | 1 Linkis | 2024-10-22 | N/A | 9.8 CRITICAL |
| In Apache Linkis <=1.3.1, because the parameters are not effectively filtered, the attacker uses the MySQL data source and malicious parameters to configure a new data source to trigger a deserialization vulnerability, eventually leading to remote code execution. Versions of Apache Linkis <= 1.3.0 will be affected. We recommend users upgrade the version of Linkis to version 1.3.2. | |||||
| CVE-2023-29215 | 1 Apache | 1 Linkis | 2024-10-22 | N/A | 9.8 CRITICAL |
| In Apache Linkis <=1.3.1, due to the lack of effective filtering of parameters, an attacker configuring malicious Mysql JDBC parameters in JDBC EengineConn Module will trigger a deserialization vulnerability and eventually lead to remote code execution. Therefore, the parameters in the Mysql JDBC URL should be blacklisted. Versions of Apache Linkis <= 1.3.0 will be affected. We recommend users upgrade the version of Linkis to version 1.3.2. | |||||
| CVE-2024-10079 | 1 Newsignature | 1 Wp Easy Post Types | 2024-10-22 | N/A | 8.8 HIGH |
| The WP Easy Post Types plugin for WordPress is vulnerable to PHP Object Injection in versions up to, and including, 1.4.4 via deserialization of untrusted input from the 'text' parameter in the 'ajax_import_content' function. This allows authenticated attackers, with subscriber-level permissions and above, to inject a PHP Object. No POP chain is present in the vulnerable plugin. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code. | |||||
| CVE-2024-47561 | 2024-10-21 | N/A | 7.3 HIGH | ||
| Schema parsing in the Java SDK of Apache Avro 1.11.3 and previous versions allows bad actors to execute arbitrary code. Users are recommended to upgrade to version 1.11.4 or 1.12.0, which fix this issue. | |||||
| CVE-2024-9917 | 1 Usualtool | 1 Usualtoolcms | 2024-10-19 | 6.5 MEDIUM | 4.9 MEDIUM |
| A vulnerability, which was classified as critical, was found in HuangDou UTCMS V9. This affects an unknown part of the file app/modules/ut-template/admin/template_creat.php. The manipulation of the argument content leads to deserialization. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2024-47836 | 2024-10-18 | N/A | 3.5 LOW | ||
| Admidio is an open-source user management solution. Prior to version 4.3.12, an unsafe deserialization vulnerability allows any unauthenticated user to execute arbitrary code on the server. Version 4.3.12 fixes this issue. | |||||