Vulnerabilities (CVE)

Filtered by CWE-502
Total 1479 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2023-6933 1 Wpengine 1 Better Search Replace 2024-11-21 N/A 9.8 CRITICAL
The Better Search Replace plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.4.4 via deserialization of untrusted input. This makes it possible for unauthenticated attackers to inject a PHP Object. No POP chain is present in the vulnerable plugin. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code.
CVE-2023-6730 1 Huggingface 1 Transformers 2024-11-21 N/A 8.8 HIGH
Deserialization of Untrusted Data in GitHub repository huggingface/transformers prior to 4.36.
CVE-2023-6656 1 Iperov 1 Deepfacelab 2024-11-21 5.1 MEDIUM 5.0 MEDIUM
** UNSUPPORTED WHEN ASSIGNED ** A vulnerability was found in DeepFaceLab pretrained DF.wf.288res.384.92.72.22. It has been rated as critical. Affected by this issue is some unknown functionality of the file DFLIMG/DFLJPG.py. The manipulation leads to deserialization. The attack may be launched remotely. The complexity of an attack is rather high. The exploitation is known to be difficult. The identifier of this vulnerability is VDB-247364. NOTE: This vulnerability only affects products that are no longer supported by the maintainer.
CVE-2023-6654 1 Phpems 1 Phpems 2024-11-21 6.5 MEDIUM 6.3 MEDIUM
A vulnerability classified as critical was found in PHPEMS 6.x/7.x/8.x/9.0. Affected by this vulnerability is an unknown functionality in the library lib/session.cls.php of the component Session Data Handler. The manipulation leads to deserialization. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-247357 was assigned to this vulnerability.
CVE-2023-6580 1 Dlink 2 Dir-846, Dir-846 Firmware 2024-11-21 9.0 HIGH 8.8 HIGH
A vulnerability, which was classified as critical, was found in D-Link DIR-846 FW100A53DBR. This affects an unknown part of the file /HNAP1/ of the component QoS POST Handler. The manipulation of the argument smartqos_express_devices/smartqos_normal_devices leads to deserialization. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-247161 was assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.
CVE-2023-6528 1 Themepunch 1 Slider Revolution 2024-11-21 N/A 8.8 HIGH
The Slider Revolution WordPress plugin before 6.6.19 does not prevent users with at least the Author role from unserializing arbitrary content when importing sliders, potentially leading to Remote Code Execution.
CVE-2023-6378 1 Qos 1 Logback 2024-11-21 N/A 7.1 HIGH
A serialization vulnerability in logback receiver component part of logback version 1.4.11 allows an attacker to mount a Denial-Of-Service attack by sending poisoned data.
CVE-2023-6049 1 Estatik 1 Estatik 2024-11-21 N/A 9.8 CRITICAL
The Estatik Real Estate Plugin WordPress plugin before 4.1.1 unserializes user input via some of its cookies, which could allow unauthenticated users to perform PHP Object Injection when a suitable gadget chain is present on the blog
CVE-2023-5391 1 Schneider-electric 3 Ecostruxure Power Monitoring Expert, Ecostruxure Power Operation With Advanced Reports, Ecostruxure Power Scada Operation With Advanced Reports 2024-11-21 N/A 9.8 CRITICAL
A CWE-502: Deserialization of untrusted data vulnerability exists that could allow an attacker to execute arbitrary code on the targeted system by sending a specifically crafted packet to the application.
CVE-2023-5235 1 Kutethemes 1 Ovic Responsive Wpbakery 2024-11-21 N/A 8.8 HIGH
The Ovic Responsive WPBakery WordPress plugin before 1.2.9 does not limit which options can be updated via some of its AJAX actions, which may allow attackers with a subscriber+ account to update blog options, such as 'users_can_register' and 'default_role'. It also unserializes user input in the process, which may lead to Object Injection attacks.
CVE-2023-5183 1 Illumio 1 Core Policy Compute Engine 2024-11-21 N/A 9.9 CRITICAL
Unsafe deserialization of untrusted JSON allows execution of arbitrary code on affected releases of the Illumio PCE. Authentication to the API is required to exploit this vulnerability. The flaw exists within the network_traffic API endpoint. An attacker can leverage this vulnerability to execute code in the context of the PCE’s operating system user.  
CVE-2023-5016 1 Ssssssss 1 Spider-flow 2024-11-21 6.5 MEDIUM 6.3 MEDIUM
A vulnerability was found in spider-flow up to 0.5.0. It has been declared as critical. Affected by this vulnerability is the function DriverManager.getConnection of the file src/main/java/org/spiderflow/controller/DataSourceController.java of the component API. The manipulation leads to deserialization. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-239857 was assigned to this vulnerability.
CVE-2023-52225 1 Taggbox 1 Taggbox 2024-11-21 N/A 10.0 CRITICAL
Deserialization of Untrusted Data vulnerability in Tagbox Tagbox – UGC Galleries, Social Media Widgets, User Reviews & Analytics.This issue affects Tagbox – UGC Galleries, Social Media Widgets, User Reviews & Analytics: from n/a through 3.1.
CVE-2023-52219 1 Gecka 1 Terms Thumbnails 2024-11-21 N/A 9.9 CRITICAL
Deserialization of Untrusted Data vulnerability in Gecka Gecka Terms Thumbnails.This issue affects Gecka Terms Thumbnails: from n/a through 1.1.
CVE-2023-52218 1 Antonbond 1 Woocommerce Tranzila Payment Gateway 2024-11-21 N/A 10.0 CRITICAL
Deserialization of Untrusted Data vulnerability in Anton Bond Woocommerce Tranzila Payment Gateway.This issue affects Woocommerce Tranzila Payment Gateway: from n/a through 1.0.8.
CVE-2023-52207 1 Svnlabs 1 Html5 Mp3 Player With Playlist Free 2024-11-21 N/A 9.1 CRITICAL
Deserialization of Untrusted Data vulnerability in SVNLabs Softwares HTML5 MP3 Player with Playlist Free.This issue affects HTML5 MP3 Player with Playlist Free: from n/a through 3.0.0.
CVE-2023-52206 1 Blueastral 1 Page Builder\ 2024-11-21 N/A 7.7 HIGH
Deserialization of Untrusted Data vulnerability in Live Composer Team Page Builder: Live Composer live-composer-page-builder.This issue affects Page Builder: Live Composer: from n/a through 1.5.25.
CVE-2023-52205 1 Svnlabs 1 Html5 Soundcloud Player With Playlist Free 2024-11-21 N/A 9.1 CRITICAL
Deserialization of Untrusted Data vulnerability in SVNLabs Softwares HTML5 SoundCloud Player with Playlist Free.This issue affects HTML5 SoundCloud Player with Playlist Free: from n/a through 2.8.0.
CVE-2023-52202 1 Svnlabs 1 Html5 Mp3 Player With Folder Feedburner Playlist Free 2024-11-21 N/A 9.1 CRITICAL
Deserialization of Untrusted Data vulnerability in SVNLabs Softwares HTML5 MP3 Player with Folder Feedburner Playlist Free.This issue affects HTML5 MP3 Player with Folder Feedburner Playlist Free: from n/a through 2.8.0.
CVE-2023-52200 1 Reputeinfosystems 1 Armember 2024-11-21 N/A 9.6 CRITICAL
Cross-Site Request Forgery (CSRF), Deserialization of Untrusted Data vulnerability in Repute Infosystems ARMember – Membership Plugin, Content Restriction, Member Levels, User Profile & User signup.This issue affects ARMember – Membership Plugin, Content Restriction, Member Levels, User Profile & User signup: n/a.