Total
1487 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2022-36038 | 1 Circuitverse | 1 Circuitverse | 2024-11-21 | N/A | 8.8 HIGH |
| CircuitVerse is an open-source platform which allows users to construct digital logic circuits online. A remote code execution (RCE) vulnerability in CircuitVerse allows authenticated attackers to execute arbitrary code via specially crafted JSON payloads. This issue may lead to Remote Code Execution (RCE). A patch is available in commit number 7b3023a99499a7675f10f2c1d9effdf10c35fb6e. There are currently no known workarounds. | |||||
| CVE-2022-36006 | 1 Arvados | 1 Arvados | 2024-11-21 | N/A | 7.9 HIGH |
| Arvados is an open source platform for managing, processing, and sharing genomic and other large scientific and biomedical data. A remote code execution (RCE) vulnerability in the Arvados Workbench allows authenticated attackers to execute arbitrary code via specially crafted JSON payloads. This exists in all versions up to 2.4.1 and is fixed in 2.4.2. This vulnerability is specific to the Ruby on Rails Workbench application (“Workbench 1”). We do not believe any other Arvados components, including the TypesScript browser-based Workbench application (“Workbench 2”) or API Server, are vulnerable to this attack. For versions of Arvados earlier than 2.4.2: remove the Ruby-based "Workbench 1" app ("apt-get remove arvados-workbench") from your installation as a workaround. | |||||
| CVE-2022-35872 | 1 Inductiveautomation | 1 Ignition | 2024-11-21 | N/A | 7.8 HIGH |
| This vulnerability allows remote attackers to execute arbitrary code on affected installations of Inductive Automation Ignition 8.1.15 (b2022030114). User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of ZIP files. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code in the context of SYSTEM. Was ZDI-CAN-17115. | |||||
| CVE-2022-35870 | 1 Inductiveautomation | 1 Ignition | 2024-11-21 | N/A | 7.8 HIGH |
| This vulnerability allows remote attackers to execute arbitrary code on affected installations of Inductive Automation Ignition 8.1.15 (b2022030114). Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The specific flaw exists within com.inductiveautomation.metro.impl. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code in the context of SYSTEM. Was ZDI-CAN-17265. | |||||
| CVE-2022-35405 | 1 Zohocorp | 3 Manageengine Access Manager Plus, Manageengine Pam360, Manageengine Password Manager Pro | 2024-11-21 | N/A | 9.8 CRITICAL |
| Zoho ManageEngine Password Manager Pro before 12101 and PAM360 before 5510 are vulnerable to unauthenticated remote code execution. (This also affects ManageEngine Access Manager Plus before 4303 with authentication.) | |||||
| CVE-2022-35223 | 1 Easyuse | 1 Mailhunter Ultimate | 2024-11-21 | N/A | 9.8 CRITICAL |
| EasyUse MailHunter Ultimate’s cookie deserialization function has an inadequate validation vulnerability. Deserializing a cookie containing malicious payload will trigger this insecure deserialization vulnerability, allowing an unauthenticated remote attacker to execute arbitrary code, manipulate system command or interrupt service. | |||||
| CVE-2022-34668 | 1 Nvidia | 1 Nvflare | 2024-11-21 | N/A | 9.8 CRITICAL |
| NVFLARE, versions prior to 2.1.4, contains a vulnerability that deserialization of Untrusted Data due to Pickle usage may allow an unprivileged network attacker to cause Remote Code Execution, Denial Of Service, and Impact to both Confidentiality and Integrity. | |||||
| CVE-2022-34268 | 1 Rws | 1 Worldserver | 2024-11-21 | N/A | 9.8 CRITICAL |
| An issue was discovered in RWS WorldServer before 11.7.3. /clientLogin deserializes Java objects without authentication, leading to command execution on the host. | |||||
| CVE-2022-33947 | 1 F5 | 1 Big-ip Domain Name System | 2024-11-21 | N/A | 5.4 MEDIUM |
| In BIG-IP Versions 16.1.x before 16.1.3, 15.1.x before 15.1.6.1, 14.1.x before 14.1.5, and all versions of 13.1.x, a vulnerability exists in undisclosed pages of the BIG-IP DNS Traffic Management User Interface (TMUI) that allows an authenticated attacker with at least operator role privileges to cause the Tomcat process to restart and perform unauthorized DNS requests and operations through undisclosed requests. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. | |||||
| CVE-2022-33900 | 1 Sandhillsdev | 1 Easy Digital Downloads | 2024-11-21 | N/A | 4.1 MEDIUM |
| PHP Object Injection vulnerability in Easy Digital Downloads plugin <= 3.0.1 at WordPress. | |||||
| CVE-2022-33320 | 2 Iconics, Mitsubishielectric | 2 Genesis64, Mc Works64 | 2024-11-21 | N/A | 7.8 HIGH |
| Deserialization of Untrusted Data vulnerability in ICONICS GENESIS64 versions 10.97.1 and prior and Mitsubishi Electric MC Works64 versions 4.04E (10.95.210.01) and prior allows an unauthenticated attacker to execute an arbitrary malicious code by leading a user to load a project configuration file including malicious XML codes. | |||||
| CVE-2022-33318 | 2 Iconics, Mitsubishielectric | 2 Genesis64, Mc Works64 | 2024-11-21 | N/A | 9.8 CRITICAL |
| Deserialization of Untrusted Data vulnerability in ICONICS GENESIS64 versions 10.97.1 and prior and Mitsubishi Electric MC Works64 versions 4.04E (10.95.210.01) and prior allows a remote unauthenticated attacker to execute an arbitrary malicious code by sending specially crafted packets to the GENESIS64 server. | |||||
| CVE-2022-33316 | 2 Iconics, Mitsubishielectric | 2 Genesis64, Mc Works64 | 2024-11-21 | N/A | 7.8 HIGH |
| Deserialization of Untrusted Data vulnerability in ICONICS GENESIS64 versions 10.97.1 and prior and Mitsubishi Electric MC Works64 versions 4.04E (10.95.210.01) and prior allows an unauthenticated attacker to execute an arbitrary malicious code by leading a user to load a monitoring screen file including malicious XAML codes. | |||||
| CVE-2022-33315 | 2 Iconics, Mitsubishielectric | 2 Genesis64, Mc Works64 | 2024-11-21 | N/A | 7.8 HIGH |
| Deserialization of Untrusted Data vulnerability in ICONICS GENESIS64 versions 10.97.1 and prior and Mitsubishi Electric MC Works64 versions 4.04E (10.95.210.01) and prior allows an unauthenticated attacker to execute an arbitrary malicious code by leading a user to load a monitoring screen file including malicious XAML codes. | |||||
| CVE-2022-33107 | 1 Thinkphp | 1 Thinkphp | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| ThinkPHP v6.0.12 was discovered to contain a deserialization vulnerability via the component vendor\league\flysystem-cached-adapter\src\Storage\AbstractCache.php. This vulnerability allows attackers to execute arbitrary code via a crafted payload. | |||||
| CVE-2022-32601 | 2 Google, Mediatek | 41 Android, Mt6739, Mt6761 and 38 more | 2024-11-21 | N/A | 7.8 HIGH |
| In telephony, there is a possible permission bypass due to a parcel format mismatch. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS07319132; Issue ID: ALPS07319132. | |||||
| CVE-2022-32521 | 1 Schneider-electric | 1 Data Center Expert | 2024-11-21 | N/A | 7.1 HIGH |
| A CWE 502: Deserialization of Untrusted Data vulnerability exists that could allow code to be remotely executed on the server when unsafely deserialized data is posted to the web server. Affected Products: Data Center Expert (Versions prior to V7.9.0) | |||||
| CVE-2022-32224 | 1 Activerecord Project | 1 Activerecord | 2024-11-21 | N/A | 9.8 CRITICAL |
| A possible escalation to RCE vulnerability exists when using YAML serialized columns in Active Record < 7.0.3.1, <6.1.6.1, <6.0.5.1 and <5.2.8.1 which could allow an attacker, that can manipulate data in the database (via means like SQL injection), the ability to escalate to an RCE. | |||||
| CVE-2022-31710 | 1 Vmware | 1 Vrealize Log Insight | 2024-11-21 | N/A | 7.5 HIGH |
| vRealize Log Insight contains a deserialization vulnerability. An unauthenticated malicious actor can remotely trigger the deserialization of untrusted data which could result in a denial of service. | |||||
| CVE-2022-31680 | 1 Vmware | 1 Vcenter Server | 2024-11-21 | N/A | 9.1 CRITICAL |
| The vCenter Server contains an unsafe deserialisation vulnerability in the PSC (Platform services controller). A malicious actor with admin access on vCenter server may exploit this issue to execute arbitrary code on the underlying operating system that hosts the vCenter Server. | |||||