Total
1457 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2024-26579 | 2024-06-10 | N/A | N/A | ||
Deserialization of Untrusted Data vulnerability in Apache InLong.This issue affects Apache InLong: from 1.7.0 through 1.11.0, the attackers can bypass using malicious parameters. Users are advised to upgrade to Apache InLong's 1.12.0 or cherry-pick [1], [2] to solve it. [1] https://github.com/apache/inlong/pull/9694 [2] https://github.com/apache/inlong/pull/9707 | |||||
CVE-2018-15133 | 1 Laravel | 1 Laravel | 2024-06-10 | 6.8 MEDIUM | 8.1 HIGH |
In Laravel Framework through 5.5.40 and 5.6.x through 5.6.29, remote code execution might occur as a result of an unserialize call on a potentially untrusted X-XSRF-TOKEN value. This involves the decrypt method in Illuminate/Encryption/Encrypter.php and PendingBroadcast in gadgetchains/Laravel/RCE/3/chain.php in phpggc. The attacker must know the application key, which normally would never occur, but could happen if the attacker previously had privileged access or successfully accomplished a previous attack. | |||||
CVE-2024-5351 | 2024-06-04 | 6.5 MEDIUM | 6.3 MEDIUM | ||
A vulnerability was found in anji-plus AJ-Report up to 1.4.1. It has been declared as critical. Affected by this vulnerability is the function getValueFromJs of the component Javascript Handler. The manipulation leads to deserialization. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-266263. | |||||
CVE-2024-4019 | 2024-06-04 | 6.5 MEDIUM | 6.3 MEDIUM | ||
A vulnerability classified as critical has been found in Byzoro Smart S80 Management Platform up to 20240411. Affected is an unknown function of the file /importhtml.php. The manipulation of the argument sql leads to deserialization. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. VDB-261666 is the identifier assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. | |||||
CVE-2024-33568 | 2024-06-04 | N/A | 8.5 HIGH | ||
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal'), Deserialization of Untrusted Data vulnerability in BdThemes Element Pack Pro allows Path Traversal, Object Injection.This issue affects Element Pack Pro: from n/a through 7.7.4. | |||||
CVE-2024-37064 | 2024-06-04 | N/A | 7.8 HIGH | ||
Deseriliazation of untrusted data can occur in versions 3.7.0 or newer of Ydata's ydata-profiling open-source library, enabling a maliciously crafted dataset to run arbitrary code on an end user's system when loaded. | |||||
CVE-2024-37054 | 2024-06-04 | N/A | 8.8 HIGH | ||
Deserialization of untrusted data can occur in versions of the MLflow platform running version 0.9.0 or newer, enabling a maliciously uploaded PyFunc model to run arbitrary code on an end user’s system when interacted with. | |||||
CVE-2024-37059 | 2024-06-04 | N/A | 8.8 HIGH | ||
Deserialization of untrusted data can occur in versions of the MLflow platform running version 0.5.0 or newer, enabling a maliciously uploaded PyTorch model to run arbitrary code on an end user’s system when interacted with. | |||||
CVE-2024-37053 | 2024-06-04 | N/A | 8.8 HIGH | ||
Deserialization of untrusted data can occur in versions of the MLflow platform running version 1.1.0 or newer, enabling a maliciously uploaded scikit-learn model to run arbitrary code on an end user’s system when interacted with. | |||||
CVE-2024-37062 | 2024-06-04 | N/A | 7.8 HIGH | ||
Deserialization of untrusted data can occur in versions 3.7.0 or newer of Ydata's ydata-profiling open-source library, enabling a malicously crafted report to run arbitrary code on an end user's system when loaded. | |||||
CVE-2024-37058 | 2024-06-04 | N/A | 8.8 HIGH | ||
Deserialization of untrusted data can occur in versions of the MLflow platform running version 2.5.0 or newer, enabling a maliciously uploaded Langchain AgentExecutor model to run arbitrary code on an end user’s system when interacted with. | |||||
CVE-2024-37057 | 2024-06-04 | N/A | 8.8 HIGH | ||
Deserialization of untrusted data can occur in versions of the MLflow platform running version 2.0.0rc0 or newer, enabling a maliciously uploaded Tensorflow model to run arbitrary code on an end user’s system when interacted with. | |||||
CVE-2024-37056 | 2024-06-04 | N/A | 8.8 HIGH | ||
Deserialization of untrusted data can occur in versions of the MLflow platform running version 1.23.0 or newer, enabling a maliciously uploaded LightGBM scikit-learn model to run arbitrary code on an end user’s system when interacted with. | |||||
CVE-2024-37060 | 2024-06-04 | N/A | 8.8 HIGH | ||
Deserialization of untrusted data can occur in versions of the MLflow platform running version 1.27.0 or newer, enabling a maliciously crafted Recipe to execute arbitrary code on an end user’s system when run. | |||||
CVE-2024-37055 | 2024-06-04 | N/A | 8.8 HIGH | ||
Deserialization of untrusted data can occur in versions of the MLflow platform running version 1.24.0 or newer, enabling a maliciously uploaded pmdarima model to run arbitrary code on an end user’s system when interacted with. | |||||
CVE-2024-37065 | 2024-06-04 | N/A | 7.8 HIGH | ||
Deserialization of untrusted data can occur in versions 0.6 or newer of the skops python library, enabling a maliciously crafted model to run arbitrary code on an end user's system when loaded. | |||||
CVE-2024-37052 | 2024-06-04 | N/A | 8.8 HIGH | ||
Deserialization of untrusted data can occur in versions of the MLflow platform running version 1.1.0 or newer, enabling a maliciously uploaded scikit-learn model to run arbitrary code on an end user’s system when interacted with. | |||||
CVE-2024-3301 | 2024-05-30 | N/A | 8.5 HIGH | ||
An unsafe .NET object deserialization vulnerability in DELMIA Apriso Release 2019 through Release 2024 could lead to post-authentication remote code execution. | |||||
CVE-2024-3300 | 2024-05-30 | N/A | 9.0 CRITICAL | ||
An unsafe .NET object deserialization vulnerability in DELMIA Apriso Release 2019 through Release 2024 could lead to pre-authentication remote code execution. | |||||
CVE-2023-38155 | 1 Microsoft | 1 Azure Devops Server | 2024-05-29 | N/A | 8.1 HIGH |
Azure DevOps Server Remote Code Execution Vulnerability |