Total
1478 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2013-4271 | 1 Restlet | 1 Restlet | 2024-11-21 | 7.5 HIGH | N/A |
| The default configuration of the ObjectRepresentation class in Restlet before 2.1.4 deserializes objects from untrusted sources, which allows remote attackers to execute arbitrary Java code via a serialized object, a different vulnerability than CVE-2013-4221. | |||||
| CVE-2013-1465 | 1 Cubecart | 1 Cubecart | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| The Cubecart::_basket method in classes/cubecart.class.php in CubeCart 5.0.0 through 5.2.0 allows remote attackers to unserialize arbitrary PHP objects via a crafted shipping parameter, as demonstrated by modifying the application configuration using the Config object. | |||||
| CVE-2012-4406 | 3 Fedoraproject, Openstack, Redhat | 7 Fedora, Swift, Enterprise Linux Server and 4 more | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| OpenStack Object Storage (swift) before 1.7.0 uses the loads function in the pickle Python module unsafely when storing and loading metadata in memcached, which allows remote attackers to execute arbitrary code via a crafted pickle object. | |||||
| CVE-2012-3527 | 2 Debian, Typo3 | 2 Debian Linux, Typo3 | 2024-11-21 | 4.6 MEDIUM | N/A |
| view_help.php in the backend help system in TYPO3 4.5.x before 4.5.19, 4.6.x before 4.6.12 and 4.7.x before 4.7.4 allows remote authenticated backend users to unserialize arbitrary objects and possibly execute arbitrary PHP code via an unspecified parameter, related to a "missing signature (HMAC)." | |||||
| CVE-2012-0911 | 1 Tiki | 1 Tikiwiki Cms\/groupware | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| TikiWiki CMS/Groupware before 6.7 LTS and before 8.4 allows remote attackers to execute arbitrary PHP code via a crafted serialized object in the (1) cookieName to lib/banners/bannerlib.php; (2) printpages or (3) printstructures parameter to (a) tiki-print_multi_pages.php or (b) tiki-print_pages.php; or (4) sendpages, (5) sendstructures, or (6) sendarticles parameter to tiki-send_objects.php, which is not properly handled when processed by the unserialize function. | |||||
| CVE-2011-2894 | 1 Vmware | 2 Spring Framework, Spring Security | 2024-11-21 | 6.8 MEDIUM | N/A |
| Spring Framework 3.0.0 through 3.0.5, Spring Security 3.0.0 through 3.0.5 and 2.0.0 through 2.0.6, and possibly other versions deserialize objects from untrusted sources, which allows remote attackers to bypass intended security restrictions and execute untrusted code by (1) serializing a java.lang.Proxy instance and using InvocationHandler, or (2) accessing internal AOP interfaces, as demonstrated using deserialization of a DefaultListableBeanFactory instance to execute arbitrary commands via the java.lang.Runtime class. | |||||
| CVE-2011-2520 | 2 Fedoraproject, Redhat | 2 Fedora, System-config-firewall | 2024-11-21 | 6.0 MEDIUM | 7.8 HIGH |
| fw_dbus.py in system-config-firewall 1.2.29 and earlier uses the pickle Python module unsafely during D-Bus communication between the GUI and the backend, which might allow local users to gain privileges via a crafted serialized object. | |||||
| CVE-2010-4574 | 2 Google, Linux | 3 Chrome, Chrome Os, Linux Kernel | 2024-11-21 | 7.5 HIGH | N/A |
| The Pickle::Pickle function in base/pickle.cc in Google Chrome before 8.0.552.224 and Chrome OS before 8.0.552.343 on 64-bit Linux platforms does not properly perform pointer arithmetic, which allows remote attackers to bypass message deserialization validation, and cause a denial of service or possibly have unspecified other impact, via invalid pickle data. | |||||
| CVE-2010-3258 | 1 Google | 1 Chrome | 2024-11-21 | 9.3 HIGH | N/A |
| The sandbox implementation in Google Chrome before 6.0.472.53 does not properly deserialize parameters, which has unspecified impact and remote attack vectors. | |||||
| CVE-2007-1701 | 1 Php | 1 Php | 2024-11-21 | 6.8 MEDIUM | N/A |
| PHP 4 before 4.4.5, and PHP 5 before 5.2.1, when register_globals is enabled, allows context-dependent attackers to execute arbitrary code via deserialization of session data, which overwrites arbitrary global variables, as demonstrated by calling session_decode on a string beginning with "_SESSION|s:39:". | |||||
| CVE-2003-0791 | 2 Mozilla, Sco | 2 Mozilla, Openserver | 2024-11-20 | 7.5 HIGH | 9.8 CRITICAL |
| The Script.prototype.freeze/thaw functionality in Mozilla 1.4 and earlier allows attackers to execute native methods by modifying the string used as input to the script.thaw JavaScript function, which is then deserialized and executed. | |||||
| CVE-2018-9474 | 2024-11-20 | N/A | 8.4 HIGH | ||
| In writeToParcel of MediaPlayer.java, there is a possible serialization/deserialization mismatch due to improper input validation. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. | |||||
| CVE-2024-10382 | 2024-11-20 | N/A | 7.5 HIGH | ||
| There exists a code execution vulnerability in the Car App Android Jetpack Library. In the CarAppService desrialization logic is used that allows for arbitrary java classes to be constructed. In combination with other gadgets, this can lead to arbitrary code execution. An attacker needs to have an app on a victims Android device that uses the CarAppService Class and the victim would need to install a malicious app alongside it. We recommend upgrading the library past versionĀ 1.7.0-beta02 | |||||
| CVE-2024-52430 | 1 Lis | 1 Video Gallery | 2024-11-20 | N/A | 9.8 CRITICAL |
| Deserialization of Untrusted Data vulnerability in Lis Lis Video Gallery allows Object Injection.This issue affects Lis Video Gallery: from n/a through 0.2.1. | |||||
| CVE-2024-52432 | 1 Nixsolutions | 1 Nix Anti-spam Light | 2024-11-20 | N/A | 9.8 CRITICAL |
| Deserialization of Untrusted Data vulnerability in NIX Solutions Ltd NIX Anti-Spam Light allows Object Injection.This issue affects NIX Anti-Spam Light: from n/a through 0.0.4. | |||||
| CVE-2024-52433 | 1 Mindstien | 1 My Geo Posts Free | 2024-11-20 | N/A | 9.8 CRITICAL |
| Deserialization of Untrusted Data vulnerability in Mindstien Technologies My Geo Posts Free allows Object Injection.This issue affects My Geo Posts Free: from n/a through 1.2. | |||||
| CVE-2024-10913 | 2024-11-20 | N/A | 8.8 HIGH | ||
| The Clone plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 2.4.6 via deserialization of untrusted input in the 'recursive_unserialized_replace' function. This makes it possible for unauthenticated attackers to inject a PHP Object. No known POP chain is present in the vulnerable software. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code. | |||||
| CVE-2024-52445 | 2024-11-20 | N/A | 8.8 HIGH | ||
| Deserialization of Untrusted Data vulnerability in Modeltheme QRMenu Restaurant QR Menu Lite allows Object Injection.This issue affects QRMenu Restaurant QR Menu Lite: from n/a through 1.0.3. | |||||
| CVE-2024-52443 | 2024-11-20 | N/A | 9.8 CRITICAL | ||
| Deserialization of Untrusted Data vulnerability in Nerijus Masikonis Geolocator allows Object Injection.This issue affects Geolocator: from n/a through 1.1. | |||||
| CVE-2024-52440 | 2024-11-20 | N/A | 9.8 CRITICAL | ||
| Deserialization of Untrusted Data vulnerability in Bueno Labs Pvt. Ltd. Xpresslane Fast Checkout allows Object Injection.This issue affects Xpresslane Fast Checkout: from n/a through 1.0.0. | |||||