Total
1486 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2023-20944 | 1 Google | 1 Android | 2024-11-21 | N/A | 7.8 HIGH |
| In run of ChooseTypeAndAccountActivity.java, there is a possible escalation of privilege due to unsafe deserialization. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-10 Android-11 Android-12 Android-12L Android-13Android ID: A-244154558 | |||||
| CVE-2023-20888 | 1 Vmware | 1 Vrealize Network Insight | 2024-11-21 | N/A | 8.8 HIGH |
| Aria Operations for Networks contains an authenticated deserialization vulnerability. A malicious actor with network access to VMware Aria Operations for Networks and valid 'member' role credentials may be able to perform a deserialization attack resulting in remote code execution. | |||||
| CVE-2023-20878 | 1 Vmware | 2 Cloud Foundation, Vrealize Operations | 2024-11-21 | N/A | 7.2 HIGH |
| VMware Aria Operations contains a deserialization vulnerability. A malicious actor with administrative privileges can execute arbitrary commands and disrupt the system. | |||||
| CVE-2023-20864 | 1 Vmware | 2 Aria Operations For Logs, Cloud Foundation | 2024-11-21 | N/A | 9.8 CRITICAL |
| VMware Aria Operations for Logs contains a deserialization vulnerability. An unauthenticated, malicious actor with network access to VMware Aria Operations for Logs may be able to execute arbitrary code as root. | |||||
| CVE-2023-20853 | 1 Aenrich | 1 A\+hrd | 2024-11-21 | N/A | 9.8 CRITICAL |
| aEnrich Technology a+HRD has a vulnerability of Deserialization of Untrusted Data within its MSMQ asynchronized message process. An unauthenticated remote attacker can exploit this vulnerability to execute arbitrary system commands to perform arbitrary system operation or disrupt service. | |||||
| CVE-2023-20852 | 1 Aenrich | 1 A\+hrd | 2024-11-21 | N/A | 9.8 CRITICAL |
| aEnrich Technology a+HRD has a vulnerability of Deserialization of Untrusted Data within its MSMQ interpreter. An unauthenticated remote attacker can exploit this vulnerability to execute arbitrary system commands to perform arbitrary system operation or disrupt service. | |||||
| CVE-2023-20102 | 1 Cisco | 3 Secure Network Analytics, Stealthwatch Management Console 2200, Stealthwatch Management Console 2200 Firmware | 2024-11-21 | N/A | 8.8 HIGH |
| A vulnerability in the web-based management interface of Cisco Secure Network Analytics could allow an authenticated, remote attacker to execute arbitrary code on the underlying operating system. This vulnerability is due to insufficient sanitization of user-provided data that is parsed into system memory. An attacker could exploit this vulnerability by sending a crafted HTTP request to an affected device. A successful exploit could allow the attacker to execute arbitrary code on the underlying operating system as the administrator user. | |||||
| CVE-2023-1967 | 1 Keysight | 1 N8844a | 2024-11-21 | N/A | 9.8 CRITICAL |
| Keysight N8844A Data Analytics Web Service deserializes untrusted data without sufficiently verifying the resulting data will be valid. | |||||
| CVE-2023-1714 | 1 Bitrix24 | 1 Bitrix24 | 2024-11-21 | N/A | 8.8 HIGH |
| Unsafe variable extraction in bitrix/modules/main/classes/general/user_options.php in Bitrix24 22.0.300 allows remote authenticated attackers to execute arbitrary code via (1) appending arbitrary content to existing PHP files or (2) PHAR deserialization. | |||||
| CVE-2023-1650 | 1 Quantumcloud | 1 Ai Chatbot | 2024-11-21 | N/A | 9.8 CRITICAL |
| The AI ChatBot WordPress plugin before 4.4.7 unserializes user input from cookies via an AJAX action available to unauthenticated users, which could allow them to perform PHP Object Injection when a suitable gadget is present on the blog | |||||
| CVE-2023-1552 | 1 Ge | 1 Toolboxst | 2024-11-21 | N/A | 6.4 MEDIUM |
| ToolboxST prior to version 7.10 is affected by a deserialization vulnerability. An attacker with local access to an HMI or who has conducted a social engineering attack on an authorized operator could execute code in a Toolbox user's context through the deserialization of an untrusted configuration file. Two CVSS scores have been provided to capture the differences between the two aforementioned attack vectors. Customers are advised to update to ToolboxST 7.10 which can be found in ControlST 7.10. If unable to update at this time customers should ensure they are following the guidance laid out in GE Gas Power's Secure Deployment Guide (GEH-6839). Customers should ensure they are not running ToolboxST as an Administrative user. | |||||
| CVE-2023-1405 | 1 Strategy11 | 1 Formidable Forms | 2024-11-21 | N/A | 7.5 HIGH |
| The Formidable Forms WordPress plugin before 6.2 unserializes user input, which could allow anonymous users to perform PHP Object Injection when a suitable gadget is present. | |||||
| CVE-2023-1399 | 1 Keysight | 2 N6854a, N6854a Firmware | 2024-11-21 | N/A | 7.8 HIGH |
| N6854A Geolocation Server versions 2.4.2 are vulnerable to untrusted data deserialization, which may allow a malicious actor to escalate privileges in the affected device’s default configuration and achieve remote code execution. | |||||
| CVE-2023-1145 | 1 Deltaww | 1 Infrasuite Device Master | 2024-11-21 | N/A | 7.8 HIGH |
| Delta Electronics InfraSuite Device Master versions prior to 1.0.5 are affected by a deserialization vulnerability targeting the Device-DataCollect service, which could allow deserialization of requests prior to authentication, resulting in remote code execution. | |||||
| CVE-2023-1139 | 1 Deltaww | 1 Infrasuite Device Master | 2024-11-21 | N/A | 8.8 HIGH |
| Delta Electronics InfraSuite Device Master versions prior to 1.0.5 are affected by a deserialization vulnerability targeting the Device-gateway service, which could allow deserialization of requests prior to authentication, resulting in remote code execution. | |||||
| CVE-2023-0960 | 1 Seacms | 1 Seacms | 2024-11-21 | 5.8 MEDIUM | 4.7 MEDIUM |
| A vulnerability was found in SeaCMS 11.6 and classified as problematic. Affected by this issue is some unknown functionality of the file /data/config.ftp.php of the component Picture Management. The manipulation leads to deserialization. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. VDB-221630 is the identifier assigned to this vulnerability. | |||||
| CVE-2023-0925 | 2 Microsoft, Softwareag | 2 Windows, Webmethods | 2024-11-21 | N/A | 9.8 CRITICAL |
| Version 10.11 of webMethods OneData runs an embedded instance of Azul Zulu Java 11.0.15 which hosts a Java RMI registry (listening on TCP port 2099 by default) and two RMI interfaces (listening on a single, dynamically assigned TCP high port). Port 2099 serves as a Java Remote Method Invocation (RMI) registry which allows for remotely loading and processing data via RMI interfaces. An unauthenticated attacker with network connectivity to the RMI registry and RMI interface ports can abuse this functionality to instruct the webMethods OneData application to load a malicious serialized Java object as a parameter to one of the available Java methods presented by the RMI interface. Once deserialized on the vulnerable server, the malicious code runs as whichever operating system account is used to run the software, which in most cases is the local System account on Windows. | |||||
| CVE-2023-0669 | 1 Fortra | 1 Goanywhere Managed File Transfer | 2024-11-21 | N/A | 7.2 HIGH |
| Fortra (formerly, HelpSystems) GoAnywhere MFT suffers from a pre-authentication command injection vulnerability in the License Response Servlet due to deserializing an arbitrary attacker-controlled object. This issue was patched in version 7.1.2. | |||||
| CVE-2022-4890 | 1 Predictapp Project | 1 Predictapp | 2024-11-21 | 6.5 MEDIUM | 6.3 MEDIUM |
| A vulnerability, which was classified as critical, has been found in abhilash1985 PredictApp. This issue affects some unknown processing of the file config/initializers/new_framework_defaults_7_0.rb of the component Cookie Handler. The manipulation leads to deserialization. The attack may be initiated remotely. The patch is named b067372f3ee26fe1b657121f0f41883ff4461a06. It is recommended to apply a patch to fix this issue. The associated identifier of this vulnerability is VDB-218387. | |||||
| CVE-2022-4815 | 1 Hitachi | 2 Vantara Pentaho, Vantara Pentaho Business Analytics Server | 2024-11-21 | N/A | 8.0 HIGH |
| Hitachi Vantara Pentaho Business Analytics Server versions before 9.4.0.1 and 9.3.0.3, including 8.3.x deserialize untrusted JSON data without constraining the parser to approved classes and methods. | |||||