Total
1396 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2024-28991 | 1 Solarwinds | 1 Access Rights Manager | 2024-09-16 | N/A | 8.8 HIGH |
SolarWinds Access Rights Manager (ARM) was found to be susceptible to a remote code execution vulnerability. If exploited, this vulnerability would allow an authenticated user to abuse the service, resulting in remote code execution. | |||||
CVE-2024-45855 | 1 Mindsdb | 1 Mindsdb | 2024-09-16 | N/A | 7.5 HIGH |
Deserialization of untrusted data can occur in versions 23.10.2.0 and newer of the MindsDB platform, enabling a maliciously uploaded ‘inhouse’ model to run arbitrary code on the server when using ‘finetune’ on it. | |||||
CVE-2024-45854 | 1 Mindsdb | 1 Mindsdb | 2024-09-16 | N/A | 7.5 HIGH |
Deserialization of untrusted data can occur in versions 23.10.3.0 and newer of the MindsDB platform, enabling a maliciously uploaded ‘inhouse’ model to run arbitrary code on the server when a ‘describe’ query is run on it. | |||||
CVE-2024-45853 | 1 Mindsdb | 1 Mindsdb | 2024-09-16 | N/A | 7.5 HIGH |
Deserialization of untrusted data can occur in versions 23.10.2.0 and newer of the MindsDB platform, enabling a maliciously uploaded ‘inhouse’ model to run arbitrary code on the server when used for a prediction. | |||||
CVE-2024-45852 | 1 Mindsdb | 1 Mindsdb | 2024-09-16 | N/A | 8.8 HIGH |
Deserialization of untrusted data can occur in versions 23.3.2.0 and newer of the MindsDB platform, enabling a maliciously uploaded model to run arbitrary code on the server when interacted with. | |||||
CVE-2024-22399 | 2024-09-16 | N/A | N/A | ||
Deserialization of Untrusted Data vulnerability in Apache Seata. When developers disable authentication on the Seata-Server and do not use the Seata client SDK dependencies, they may construct uncontrolled serialized malicious requests by directly sending bytecode based on the Seata private protocol. This issue affects Apache Seata: 2.0.0, from 1.0.0 through 1.8.0. Users are recommended to upgrade to version 2.1.0/1.8.1, which fixes the issue. | |||||
CVE-2024-8862 | 2024-09-16 | 7.5 HIGH | 7.3 HIGH | ||
A vulnerability, which was classified as critical, has been found in h2oai h2o-3 3.46.0.4. This issue affects the function getConnectionSafe of the file /dtale/chart-data/1 of the component JDBC Connection Handler. The manipulation of the argument query leads to deserialization. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | |||||
CVE-2023-2042 | 1 Datagear | 1 Datagear | 2024-09-16 | 6.5 MEDIUM | 8.8 HIGH |
A vulnerability, which was classified as problematic, has been found in DataGear up to 4.7.0/5.1.0. Affected by this issue is some unknown functionality of the component JDBC Server Handler. The manipulation leads to deserialization. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | |||||
CVE-2023-46147 | 1 Themify | 1 Ultra | 2024-09-16 | N/A | 8.8 HIGH |
Deserialization of Untrusted Data vulnerability in Themify Themify Ultra.This issue affects Themify Ultra: from n/a through 7.3.5. | |||||
CVE-2024-37288 | 1 Elastic | 1 Kibana | 2024-09-16 | N/A | 8.8 HIGH |
A deserialization issue in Kibana can lead to arbitrary code execution when Kibana attempts to parse a YAML document containing a crafted payload. This issue only affects users that use Elastic Security’s built-in AI tools https://www.elastic.co/guide/en/security/current/ai-for-security.html and have configured an Amazon Bedrock connector https://www.elastic.co/guide/en/security/current/assistant-connect-to-bedrock.html . | |||||
CVE-2024-39705 | 2024-09-15 | N/A | 9.8 CRITICAL | ||
NLTK through 3.8.1 allows remote code execution if untrusted packages have pickled Python code, and the integrated data package download functionality is used. This affects, for example, averaged_perceptron_tagger and punkt. | |||||
CVE-2024-43931 | 1 Eyecix | 1 Jobsearch Wp Job Board | 2024-09-13 | N/A | 9.8 CRITICAL |
Deserialization of Untrusted Data vulnerability in eyecix JobSearch allows Object Injection.This issue affects JobSearch: from n/a through 2.5.3. | |||||
CVE-2024-41874 | 1 Adobe | 1 Coldfusion | 2024-09-13 | N/A | 9.8 CRITICAL |
ColdFusion versions 2023.9, 2021.15 and earlier are affected by a Deserialization of Untrusted Data vulnerability that could result in arbitrary code execution in the context of the current user. An attacker could exploit this vulnerability by providing crafted input to the application, which when deserialized, leads to execution of malicious code. Exploitation of this issue does not require user interaction. | |||||
CVE-2022-2446 | 2024-09-13 | N/A | 7.2 HIGH | ||
The WP Editor plugin for WordPress is vulnerable to deserialization of untrusted input via the 'current_theme_root' parameter in versions up to, and including 1.2.9. This makes it possible for authenticated attackers with administrative privileges to call files using a PHAR wrapper that will deserialize and call arbitrary PHP Objects that can be used to perform a variety of malicious actions granted a POP chain is also present. It also requires that the attacker is successful in uploading a file with the serialized payload. | |||||
CVE-2024-43464 | 1 Microsoft | 1 Sharepoint Server | 2024-09-13 | N/A | 7.2 HIGH |
Microsoft SharePoint Server Remote Code Execution Vulnerability | |||||
CVE-2024-43466 | 1 Microsoft | 1 Sharepoint Server | 2024-09-13 | N/A | 7.5 HIGH |
Microsoft SharePoint Server Denial of Service Vulnerability | |||||
CVE-2024-29847 | 1 Ivanti | 1 Endpoint Manager | 2024-09-12 | N/A | 9.8 CRITICAL |
Deserialization of untrusted data in the agent portal of Ivanti EPM before 2022 SU6, or the 2024 September update allows a remote unauthenticated attacker to achieve remote code execution. | |||||
CVE-2023-46227 | 1 Apache | 1 Inlong | 2024-09-12 | N/A | 7.5 HIGH |
Deserialization of Untrusted Data Vulnerability in Apache Software Foundation Apache InLong. This issue affects Apache InLong: from 1.4.0 through 1.8.0, the attacker can use \t to bypass. Users are advised to upgrade to Apache InLong's 1.9.0 or cherry-pick [1] to solve it. [1] https://github.com/apache/inlong/pull/8814 | |||||
CVE-2024-45857 | 2024-09-12 | N/A | 7.8 HIGH | ||
Deserialization of untrusted data can occur in versions 2.4.0 or newer of the Cleanlab project, enabling a maliciously crafted datalab.pkl file to run arbitrary code on an end user’s system when the data directory is loaded. | |||||
CVE-2024-44902 | 2024-09-10 | N/A | 9.8 CRITICAL | ||
A deserialization vulnerability in Thinkphp v6.1.3 to v8.0.4 allows attackers to execute arbitrary code. |