Vulnerabilities (CVE)

Filtered by CWE-502
Total 1488 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2021-25152 1 Arubanetworks 1 Airwave 2024-11-21 9.0 HIGH 7.2 HIGH
A remote insecure deserialization vulnerability was discovered in Aruba AirWave Management Platform version(s) prior to 8.2.12.1. Aruba has released patches for AirWave Management Platform that address this security vulnerability.
CVE-2021-25151 1 Arubanetworks 1 Airwave 2024-11-21 9.0 HIGH 8.8 HIGH
A remote insecure deserialization vulnerability was discovered in Aruba AirWave Management Platform version(s) prior to 8.2.12.1. Aruba has released patches for AirWave Management Platform that address this security vulnerability.
CVE-2021-24857 1 Nocean 1 Totop Link 2024-11-21 7.5 HIGH 9.8 CRITICAL
The ToTop Link WordPress plugin through 1.7.1 passes base64 encoded user input to the unserialize() PHP function, which could lead to PHP Object injection if a plugin installed on the blog has a suitable gadget chain.
CVE-2021-24579 1 Bold-themes 1 Bold Page Builder 2024-11-21 6.5 MEDIUM 8.8 HIGH
The bt_bb_get_grid AJAX action of the Bold Page Builder WordPress plugin before 3.1.6 passes user input into the unserialize() function without any validation or sanitisation, which could lead to a PHP Object Injection. Even though the plugin did not contain a suitable gadget to fully exploit the issue, other installed plugins on the blog could allow such issue to be exploited and lead to RCE in some cases.
CVE-2021-24384 1 Beardev 1 Joomsport 2024-11-21 7.5 HIGH 9.8 CRITICAL
The joomsport_md_load AJAX action of the JoomSport WordPress plugin before 5.1.8, registered for both unauthenticated and unauthenticated users, unserialised user input from the shattr POST parameter, leading to a PHP Object Injection issue. Even though the plugin does not have a suitable gadget chain to exploit this, other installed plugins could, which might lead to more severe issues such as RCE
CVE-2021-24307 1 Aioseo 1 All In One Seo 2024-11-21 9.0 HIGH 8.8 HIGH
The All in One SEO – Best WordPress SEO Plugin – Easily Improve Your SEO Rankings before 4.1.0.2 enables authenticated users with "aioseo_tools_settings" privilege (most of the time admin) to execute arbitrary code on the underlying host. Users can restore plugin's configuration by uploading a backup .ini file in the section "Tool > Import/Export". However, the plugin attempts to unserialize values of the .ini file. Moreover, the plugin embeds Monolog library which can be used to craft a gadget chain and thus trigger system command execution.
CVE-2021-24280 1 Querysol 1 Redirection For Contact Form 7 2024-11-21 6.5 MEDIUM 8.8 HIGH
In the Redirection for Contact Form 7 WordPress plugin before 2.3.4, any authenticated user, such as a subscriber, could use the import_from_debug AJAX action to inject PHP objects.
CVE-2021-24217 1 Facebook 1 Facebook 2024-11-21 6.8 MEDIUM 8.1 HIGH
The run_action function of the Facebook for WordPress plugin before 3.0.0 deserializes user supplied data making it possible for PHP objects to be supplied creating an Object Injection vulnerability. There was also a useable magic method in the plugin that could be used to achieve remote code execution.
CVE-2021-24066 1 Microsoft 3 Sharepoint Enterprise Server, Sharepoint Foundation, Sharepoint Server 2024-11-21 6.5 MEDIUM 8.8 HIGH
Microsoft SharePoint Remote Code Execution Vulnerability
CVE-2021-24040 1 Facebook 1 Parlai 2024-11-21 7.5 HIGH 9.8 CRITICAL
Due to use of unsafe YAML deserialization logic, an attacker with the ability to modify local YAML configuration files could provide malicious input, resulting in remote code execution or similar risks. This issue affects ParlAI prior to v1.1.0.
CVE-2021-23895 1 Mcafee 1 Database Security 2024-11-21 9.0 HIGH 9.0 CRITICAL
Deserialization of untrusted data vulnerability in McAfee Database Security (DBSec) prior to 4.8.2 allows a remote authenticated attacker to create a reverse shell with administrator privileges on the DBSec server via carefully constructed Java serialized object sent to the DBSec server.
CVE-2021-23894 1 Mcafee 1 Database Security 2024-11-21 10.0 HIGH 9.6 CRITICAL
Deserialization of untrusted data vulnerability in McAfee Database Security (DBSec) prior to 4.8.2 allows a remote unauthenticated attacker to create a reverse shell with administrator privileges on the DBSec server via carefully constructed Java serialized object sent to the DBSec server.
CVE-2021-23758 1 Ajaxpro.2 Project 1 Ajaxpro.2 2024-11-21 7.5 HIGH 8.1 HIGH
All versions of package ajaxpro.2 are vulnerable to Deserialization of Untrusted Data due to the possibility of deserialization of arbitrary .NET classes, which can be abused to gain remote code execution.
CVE-2021-23592 1 Thinkphp 1 Thinkphp 2024-11-21 7.5 HIGH 7.7 HIGH
The package topthink/framework before 6.0.12 are vulnerable to Deserialization of Untrusted Data due to insecure unserialize method in the Driver class.
CVE-2021-23420 1 Codeception 1 Codeception 2024-11-21 10.0 HIGH 7.7 HIGH
This affects the package codeception/codeception from 4.0.0 and before 4.1.22, before 3.1.3. The RunProcess class can be leveraged as a gadget to run arbitrary commands on a system that is deserializing user input without validation.
CVE-2021-23338 1 Microsoft 1 Qlib 2024-11-21 6.5 MEDIUM 6.6 MEDIUM
This affects all versions of package qlib. The workflow function in cli part of qlib was using an unsafe YAML load function.
CVE-2021-22855 1 Hr Portal Project 1 Hr Portal 2024-11-21 7.5 HIGH 9.8 CRITICAL
The specific function of HR Portal of Soar Cloud System accepts any type of object to be deserialized. Attackers can send malicious serialized objects to execute arbitrary commands.
CVE-2021-22777 1 Schneider-electric 1 Sosafe Configurable 2024-11-21 6.8 MEDIUM 7.8 HIGH
A CWE-502: Deserialization of Untrusted Data vulnerability exists that could cause code execution by opening a malicious project file.
CVE-2021-22439 1 Huawei 1 Anyoffice 2024-11-21 9.3 HIGH 8.1 HIGH
There is a deserialization vulnerability in Huawei AnyOffice V200R006C10. An attacker can construct a specific request to exploit this vulnerability. Successfully exploiting this vulnerability, the attacker can execute remote malicious code injection and to control the device.
CVE-2021-22097 1 Vmware 1 Spring Advanced Message Queuing Protocol 2024-11-21 6.8 MEDIUM 6.5 MEDIUM
In Spring AMQP versions 2.2.0 - 2.2.18 and 2.3.0 - 2.3.10, the Spring AMQP Message object, in its toString() method, will deserialize a body for a message with content type application/x-java-serialized-object. It is possible to construct a malicious java.util.Dictionary object that can cause 100% CPU usage in the application if the toString() method is called.