Total
1399 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2024-49318 | 2024-10-18 | N/A | 9.8 CRITICAL | ||
| Deserialization of Untrusted Data vulnerability in Scott Olson My Reading Library allows Object Injection.This issue affects My Reading Library: from n/a through 1.0. | |||||
| CVE-2024-40711 | 1 Veeam | 1 Veeam Backup \& Replication | 2024-10-18 | N/A | 9.8 CRITICAL |
| A deserialization of untrusted data vulnerability with a malicious payload can allow an unauthenticated remote code execution (RCE). | |||||
| CVE-2024-9953 | 1 Cert | 1 Vince | 2024-10-17 | N/A | 4.9 MEDIUM |
| A potential denial-of-service (DoS) vulnerability exists in CERT VINCE software versions prior to 3.0.8. An authenticated administrative user can inject an arbitrary pickle object into a user’s profile, which may lead to a DoS condition when the profile is accessed. While the Django server restricts unpickling to prevent server crashes, this vulnerability could still disrupt operations. | |||||
| CVE-2023-48952 | 1 Openlinksw | 1 Virtuoso | 2024-10-17 | N/A | 7.5 HIGH |
| An issue in the box_deserialize_reusing function in openlink virtuoso-opensource v7.2.11 allows attackers to cause a Denial of Service (DoS) after running a SELECT statement. | |||||
| CVE-2024-45733 | 2 Microsoft, Splunk | 2 Windows, Splunk | 2024-10-16 | N/A | 8.8 HIGH |
| In Splunk Enterprise for Windows versions below 9.2.3 and 9.1.6, a low-privileged user that does not hold the "admin" or "power" Splunk roles could perform a Remote Code Execution (RCE) due to an insecure session storage configuration. | |||||
| CVE-2024-9634 | 2024-10-16 | N/A | 9.8 CRITICAL | ||
| The GiveWP – Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 3.16.3 via deserialization of untrusted input from the give_company_name parameter. This makes it possible for unauthenticated attackers to inject a PHP Object. The additional presence of a POP chain allows attackers to achieve remote code execution. | |||||
| CVE-2024-49218 | 2024-10-16 | N/A | 9.8 CRITICAL | ||
| Deserialization of Untrusted Data vulnerability in Al Imran Akash Recently allows Object Injection.This issue affects Recently: from n/a through 1.1. | |||||
| CVE-2024-48028 | 2024-10-16 | N/A | 9.8 CRITICAL | ||
| Deserialization of Untrusted Data vulnerability in Boyan Raichev IP Loc8 allows Object Injection.This issue affects IP Loc8: from n/a through 1.1. | |||||
| CVE-2024-48030 | 2024-10-16 | N/A | 9.8 CRITICAL | ||
| Deserialization of Untrusted Data vulnerability in Gabriele Valenti Telecash Ricaricaweb allows Object Injection.This issue affects Telecash Ricaricaweb: from n/a through 2.2. | |||||
| CVE-2024-49227 | 2024-10-16 | N/A | 8.8 HIGH | ||
| Deserialization of Untrusted Data vulnerability in Innovaweb Sp. Z o.O. Free Stock Photos Foter allows Object Injection.This issue affects Free Stock Photos Foter: from n/a through 1.5.4. | |||||
| CVE-2024-49226 | 2024-10-16 | N/A | 8.8 HIGH | ||
| Deserialization of Untrusted Data vulnerability in TAKETIN TAKETIN To WP Membership allows Object Injection.This issue affects TAKETIN To WP Membership: from n/a through 2.8.0. | |||||
| CVE-2024-48026 | 2024-10-16 | N/A | 9.8 CRITICAL | ||
| Deserialization of Untrusted Data vulnerability in Grayson Robbins Disc Golf Manager allows Object Injection.This issue affects Disc Golf Manager: from n/a through 1.0.0. | |||||
| CVE-2024-36984 | 2024-10-15 | N/A | 8.8 HIGH | ||
| In Splunk Enterprise versions below 9.2.2, 9.1.5, and 9.0.10 on Windows, an authenticated user could execute a specially crafted query that they could then use to serialize untrusted data. The attacker could use the query to execute arbitrary code. | |||||
| CVE-2023-25581 | 2024-10-15 | N/A | N/A | ||
| pac4j is a security framework for Java. `pac4j-core` prior to version 4.0.0 is affected by a Java deserialization vulnerability. The vulnerability affects systems that store externally controlled values in attributes of the `UserProfile` class from pac4j-core. It can be exploited by providing an attribute that contains a serialized Java object with a special prefix `{#sb64}` and Base64 encoding. This issue may lead to Remote Code Execution (RCE) in the worst case. Although a `RestrictedObjectInputStream` is in place, that puts some restriction on what classes can be deserialized, it still allows a broad range of java packages and potentially exploitable with different gadget chains. pac4j versions 4.0.0 and greater are not affected by this issue. Users are advised to upgrade. There are no known workarounds for this vulnerability. | |||||
| CVE-2024-48033 | 2024-10-15 | N/A | 9.8 CRITICAL | ||
| Deserialization of Untrusted Data vulnerability in Elie Burstein, Baptiste Gourdin Talkback allows Object Injection.This issue affects Talkback: from n/a through 1.0. | |||||
| CVE-2023-48886 | 1 Luxiaoxun | 1 Nettyrpc | 2024-10-11 | N/A | 9.8 CRITICAL |
| A deserialization vulnerability in NettyRpc v1.2 allows attackers to execute arbitrary commands via sending a crafted RPC request. | |||||
| CVE-2023-31058 | 1 Apache | 1 Inlong | 2024-10-11 | N/A | 7.5 HIGH |
| Deserialization of Untrusted Data Vulnerability in Apache Software Foundation Apache InLong.This issue affects Apache InLong: from 1.4.0 through 1.6.0. Attackers would bypass the 'autoDeserialize' option filtering by adding blanks. Users are advised to upgrade to Apache InLong's 1.7.0 or cherry-pick https://github.com/apache/inlong/pull/7674 https://github.com/apache/inlong/pull/7674 to solve it. | |||||
| CVE-2023-26592 | 1 Intel | 1 Thunderbolt Dch Driver | 2024-10-10 | N/A | 3.8 LOW |
| Deserialization of untrusted data in some Intel(R) Thunderbolt(TM) DCH drivers for Windows before version 88 may allow an authenticated user to potentially enable a denial of service via local access. | |||||
| CVE-2023-46615 | 1 Kallidan | 1 Kd Coming Soon | 2024-10-10 | N/A | 9.8 CRITICAL |
| Deserialization of Untrusted Data vulnerability in Kalli Dan. KD Coming Soon.This issue affects KD Coming Soon: from n/a through 1.7. | |||||
| CVE-2024-9005 | 2024-10-10 | N/A | 7.1 HIGH | ||
| CWE-502: Deserialization of Untrusted Data vulnerability exists that could allow code to be remotely executed on the server when unsafely deserialized data is posted to the web server. | |||||