Total
1486 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2022-48282 | 1 Mongodb | 1 C\# Driver | 2024-11-21 | N/A | 6.6 MEDIUM |
| Under very specific circumstances (see Required configuration section below), a privileged user is able to cause arbitrary code to be executed which may cause further disruption to services. This is specific to applications written in C#. This affects all MongoDB .NET/C# Driver versions prior to and including v2.18.0 Following configuration must be true for the vulnerability to be applicable: * Application must written in C# taking arbitrary data from users and serializing data using _t without any validation AND * Application must be running on a Windows host using the full .NET Framework, not .NET Core AND * Application must have domain model class with a property/field explicitly of type System.Object or a collection of type System.Object (against MongoDB best practice) AND * Malicious attacker must have unrestricted insert access to target database to add a _t discriminator."Following configuration must be true for the vulnerability to be applicable | |||||
| CVE-2022-47986 | 3 Ibm, Linux, Microsoft | 3 Aspera Faspex, Linux Kernel, Windows | 2024-11-21 | N/A | 9.8 CRITICAL |
| IBM Aspera Faspex 4.4.2 Patch Level 1 and earlier could allow a remote attacker to execute arbitrary code on the system, caused by a YAML deserialization flaw. By sending a specially crafted obsolete API call, an attacker could exploit this vulnerability to execute arbitrary code on the system. The obsolete API call was removed in Faspex 4.4.2 PL2. IBM X-Force ID: 243512. | |||||
| CVE-2022-47599 | 1 Bitapps | 1 File Manager | 2024-11-21 | N/A | 5.5 MEDIUM |
| Deserialization of Untrusted Data vulnerability in File Manager by Bit Form Team File Manager – 100% Free & Open Source File Manager Plugin for WordPress | Bit File Manager.This issue affects File Manager – 100% Free & Open Source File Manager Plugin for WordPress | Bit File Manager: from n/a through 5.2.7. | |||||
| CVE-2022-47507 | 1 Solarwinds | 1 Orion Platform | 2024-11-21 | N/A | 7.2 HIGH |
| SolarWinds Platform was susceptible to the Deserialization of Untrusted Data. This vulnerability allows a remote adversary with Orion admin-level account access to SolarWinds Web Console to execute arbitrary commands. | |||||
| CVE-2022-47504 | 1 Solarwinds | 1 Orion Platform | 2024-11-21 | N/A | 7.2 HIGH |
| SolarWinds Platform was susceptible to the Deserialization of Untrusted Data. This vulnerability allows a remote adversary with Orion admin-level account access to SolarWinds Web Console to execute arbitrary commands. | |||||
| CVE-2022-47503 | 1 Solarwinds | 1 Orion Platform | 2024-11-21 | N/A | 7.2 HIGH |
| SolarWinds Platform was susceptible to the Deserialization of Untrusted Data. This vulnerability allows a remote adversary with Orion admin-level account access to SolarWinds Web Console to execute arbitrary commands. | |||||
| CVE-2022-47083 | 1 Spitfire Project | 1 Spitfire | 2024-11-21 | N/A | 8.8 HIGH |
| A PHP Object Injection vulnerability in the unserialize() function Spitfire CMS v1.0.475 allows authenticated attackers to execute arbitrary code via sending crafted requests to the web application. | |||||
| CVE-2022-46478 | 1 Datax-web Project | 1 Datax-web | 2024-11-21 | N/A | 9.8 CRITICAL |
| The RPC interface in datax-web v1.0.0 and v2.0.0 to v2.1.2 contains no permission checks by default which allows attackers to execute arbitrary commands via crafted Hessian serialized data. | |||||
| CVE-2022-46366 | 1 Apache | 1 Tapestry | 2024-11-21 | N/A | 9.8 CRITICAL |
| Apache Tapestry 3.x allows deserialization of untrusted data, leading to remote code execution. This issue is similar to but distinct from CVE-2020-17531, which applies the the (also unsupported) 4.x version line. NOTE: This vulnerability only affects Apache Tapestry version line 3.x, which is no longer supported by the maintainer. Users are recommended to upgrade to a supported version line of Apache Tapestry. | |||||
| CVE-2022-45982 | 1 Thinkphp | 1 Thinkphp | 2024-11-21 | N/A | 9.8 CRITICAL |
| thinkphp 6.0.0~6.0.13 and 6.1.0~6.1.1 contains a deserialization vulnerability. This vulnerability allows attackers to execute arbitrary code via a crafted payload. | |||||
| CVE-2022-45923 | 1 Opentext | 1 Opentext Extended Ecm | 2024-11-21 | N/A | 8.8 HIGH |
| An issue was discovered in OpenText Content Suite Platform 22.1 (16.2.19.1803). The Common Gateway Interface (CGI) program cs.exe allows an attacker to increase/decrease an arbitrary memory address by 1 and trigger a call to a method of a vftable with a vftable pointer value chosen by the attacker. | |||||
| CVE-2022-45845 | 1 Nextendweb | 1 Smart Slider 3 | 2024-11-21 | N/A | 4.3 MEDIUM |
| Deserialization of Untrusted Data vulnerability in Nextend Smart Slider 3.This issue affects Smart Slider 3: from n/a through 3.5.1.9. | |||||
| CVE-2022-45147 | 2024-11-21 | N/A | 7.8 HIGH | ||
| A vulnerability has been identified in SIMATIC PCS neo V4.0 (All versions), SIMATIC STEP 7 V16 (All versions), SIMATIC STEP 7 V17 (All versions), SIMATIC STEP 7 V18 (All versions < V18 Update 2). Affected applications do not properly restrict the .NET BinaryFormatter when deserializing user-controllable input. This could allow an attacker to cause a type confusion and execute arbitrary code within the affected application. This is the same issue that exists for .NET BinaryFormatter https://docs.microsoft.com/en-us/visualstudio/code-quality/ca2300. | |||||
| CVE-2022-45136 | 1 Apache | 1 Jena Sdb | 2024-11-21 | N/A | 9.8 CRITICAL |
| Apache Jena SDB 3.17.0 and earlier is vulnerable to a JDBC Deserialisation attack if the attacker is able to control the JDBC URL used or cause the underlying database server to return malicious data. The mySQL JDBC driver in particular is known to be vulnerable to this class of attack. As a result an application using Apache Jena SDB can be subject to RCE when connected to a malicious database server. Apache Jena SDB has been EOL since December 2020 and users should migrate to alternative options e.g. Apache Jena TDB 2. | |||||
| CVE-2022-45083 | 1 Properfraction | 1 Profilepress | 2024-11-21 | N/A | 6.6 MEDIUM |
| Deserialization of Untrusted Data vulnerability in ProfilePress Membership Team Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – ProfilePress.This issue affects Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – ProfilePress: from n/a through 4.3.2. | |||||
| CVE-2022-45077 | 1 Muffingroup | 1 Betheme | 2024-11-21 | N/A | 6.3 MEDIUM |
| Auth. (subscriber+) PHP Object Injection vulnerability in Betheme theme <= 26.5.1.4 on WordPress. | |||||
| CVE-2022-45047 | 1 Apache | 1 Sshd | 2024-11-21 | N/A | 9.8 CRITICAL |
| Class org.apache.sshd.server.keyprovider.SimpleGeneratorHostKeyProvider in Apache MINA SSHD <= 2.9.1 uses Java deserialization to load a serialized java.security.PrivateKey. The class is one of several implementations that an implementor using Apache MINA SSHD can choose for loading the host keys of an SSH server. | |||||
| CVE-2022-44645 | 1 Apache | 1 Linkis | 2024-11-21 | N/A | 8.8 HIGH |
| In Apache Linkis <=1.3.0 when used with the MySQL Connector/J, a deserialization vulnerability with possible remote code execution impact exists when an attacker has write access to a database and configures new datasource with a MySQL data source and malicious parameters. Therefore, the parameters in the jdbc url should be blacklisted. Versions of Apache Linkis <= 1.3.0 will be affected. We recommend users to upgrade the version of Linkis to version 1.3.1. | |||||
| CVE-2022-44559 | 1 Huawei | 2 Emui, Harmonyos | 2024-11-21 | N/A | 9.8 CRITICAL |
| The AMS module has a vulnerability of serialization/deserialization mismatch. Successful exploitation of this vulnerability may cause privilege escalation. | |||||
| CVE-2022-44558 | 1 Huawei | 2 Emui, Harmonyos | 2024-11-21 | N/A | 9.8 CRITICAL |
| The AMS module has a vulnerability of serialization/deserialization mismatch. Successful exploitation of this vulnerability may cause privilege escalation. | |||||