Total
1487 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2020-28339 | 1 Collne | 1 Welcart E-commerce | 2024-11-21 | 6.5 MEDIUM | 7.5 HIGH |
| The usc-e-shop (aka Collne Welcart e-Commerce) plugin before 1.9.36 for WordPress allows Object Injection because of usces_unserialize. There is not a complete POP chain. | |||||
| CVE-2020-28032 | 3 Debian, Fedoraproject, Wordpress | 3 Debian Linux, Fedora, Wordpress | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| WordPress before 5.5.2 mishandles deserialization requests in wp-includes/Requests/Utility/FilteredIterator.php. | |||||
| CVE-2020-27868 | 1 Qognify | 1 Ocularis | 2024-11-21 | 10.0 HIGH | 9.8 CRITICAL |
| This vulnerability allows remote attackers to execute arbitrary code on affected installations of Qognify Ocularis 5.9.0.395. Authentication is not required to exploit this vulnerability. The specific flaw exists within the handling of serialized objects provided to the EventCoordinator endpoint. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code in the context of SYSTEM. Was ZDI-CAN-11257. | |||||
| CVE-2020-27583 | 1 Ibm | 1 Infosphere Information Server | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| IBM InfoSphere Information Server 8.5.0.0 is affected by deserialization of untrusted data which could allow remote unauthenticated attackers to execute arbitrary code. NOTE: This vulnerability only affects products that are no longer supported by the maintainer | |||||
| CVE-2020-27131 | 1 Cisco | 1 Security Manager | 2024-11-21 | 10.0 HIGH | 8.1 HIGH |
| Multiple vulnerabilities in the Java deserialization function that is used by Cisco Security Manager could allow an unauthenticated, remote attacker to execute arbitrary commands on an affected device. These vulnerabilities are due to insecure deserialization of user-supplied content by the affected software. An attacker could exploit these vulnerabilities by sending a malicious serialized Java object to a specific listener on an affected system. A successful exploit could allow the attacker to execute arbitrary commands on the device with the privileges of NT AUTHORITY\SYSTEM on the Windows target host. Cisco has not released software updates that address these vulnerabilities. | |||||
| CVE-2020-26945 | 1 Mybatis | 1 Mybatis | 2024-11-21 | 5.1 MEDIUM | 8.1 HIGH |
| MyBatis before 3.5.6 mishandles deserialization of object streams. | |||||
| CVE-2020-26867 | 1 Pcvuesolutions | 1 Pcvue | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| ARC Informatique PcVue prior to version 12.0.17 is vulnerable due to the deserialization of untrusted data, which may allow an attacker to remotely execute arbitrary code on the web and mobile back-end server. | |||||
| CVE-2020-26207 | 1 Databaseschemareader Project | 1 Dbschemareader | 2024-11-21 | 6.8 MEDIUM | 8.0 HIGH |
| DatabaseSchemaViewer before version 2.7.4.3 is vulnerable to arbitrary code execution if a user is tricked into opening a specially crafted `.dbschema` file. The patch was released in v2.7.4.3. As a workaround, ensure `.dbschema` files from untrusted sources are not opened. | |||||
| CVE-2020-26165 | 1 Qdpm | 1 Qdpm | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
| qdPM through 9.1 allows PHP Object Injection via timeReportActions::executeExport in core/apps/qdPM/modules/timeReport/actions/actions.class.php because unserialize is used. | |||||
| CVE-2020-26118 | 1 Smartbear | 1 Collaborator | 2024-11-21 | 9.0 HIGH | 8.8 HIGH |
| In SmartBear Collaborator Server through 13.3.13302, use of the Google Web Toolkit (GWT) API introduces a post-authentication Java deserialization vulnerability. The application's UpdateMemento class accepts a serialized Java object directly from the user without properly sanitizing it. A malicious object can be submitted to the server via an authenticated attacker to execute commands on the underlying system. | |||||
| CVE-2020-25260 | 1 Hyland | 1 Onbase | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| An issue was discovered in Hyland OnBase 16.0.2.83 and below, 17.0.2.109 and below, 18.0.0.37 and below, 19.8.16.1000 and below and 20.3.10.1000 and below. It allows remote attackers to execute arbitrary code because of unsafe JSON deserialization. | |||||
| CVE-2020-25259 | 1 Hyland | 1 Onbase | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| An issue was discovered in Hyland OnBase 16.0.2.83 and below, 17.0.2.109 and below, 18.0.0.37 and below, 19.8.16.1000 and below and 20.3.10.1000 and below. It uses XML deserialization libraries in an unsafe manner. | |||||
| CVE-2020-25258 | 1 Hyland | 1 Onbase | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| An issue was discovered in Hyland OnBase 16.0.2.83 and below, 17.0.2.109 and below, 18.0.0.37 and below, 19.8.16.1000 and below and 20.3.10.1000 and below. It uses ASP.NET BinaryFormatter.Deserialize in a manner that allows attackers to transmit and execute bytecode in SOAP messages. | |||||
| CVE-2020-24914 | 1 Qcubed | 1 Qcubed | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| A PHP object injection bug in profile.php in qcubed (all versions including 3.1.1) unserializes the untrusted data of the POST-variable "strProfileData" and allows an unauthenticated attacker to execute code via a crafted POST request. | |||||
| CVE-2020-24750 | 3 Debian, Fasterxml, Oracle | 26 Debian Linux, Jackson-databind, Agile Plm and 23 more | 2024-11-21 | 6.8 MEDIUM | 8.1 HIGH |
| FasterXML jackson-databind 2.x before 2.9.10.6 mishandles the interaction between serialization gadgets and typing, related to com.pastdev.httpcomponents.configuration.JndiConfiguration. | |||||
| CVE-2020-24648 | 1 Hp | 1 Intelligent Management Center | 2024-11-21 | 10.0 HIGH | 9.8 CRITICAL |
| A accessmgrservlet classname deserialization of untrusted data remote code execution vulnerability was discovered in HPE Intelligent Management Center (iMC) version(s): Prior to iMC PLAT 7.3 (E0705P07). | |||||
| CVE-2020-24639 | 1 Arubanetworks | 1 Airwave Glass | 2024-11-21 | 10.0 HIGH | 9.8 CRITICAL |
| There is a vulnerability caused by unsafe Java deserialization that allows for arbitrary command execution in a containerized environment within Airwave Glass before 1.3.3. Successful exploitation can lead to complete compromise of the underlying host operating system. | |||||
| CVE-2020-24616 | 4 Debian, Fasterxml, Netapp and 1 more | 25 Debian Linux, Jackson-databind, Active Iq Unified Manager and 22 more | 2024-11-21 | 6.8 MEDIUM | 8.1 HIGH |
| FasterXML jackson-databind 2.x before 2.9.10.6 mishandles the interaction between serialization gadgets and typing, related to br.com.anteros.dbcp.AnterosDBCPDataSource (aka Anteros-DBCP). | |||||
| CVE-2020-24164 | 1 Taoensso | 1 Nippy | 2024-11-21 | 6.8 MEDIUM | 7.8 HIGH |
| A deserialization flaw is present in Taoensso Nippy before 2.14.2. In some circumstances, it is possible for an attacker to create a malicious payload that, when deserialized, will allow arbitrary code to be executed. This occurs because there is automatic use of the Java Serializable interface. | |||||
| CVE-2020-24036 | 1 Fork-cms | 1 Fork Cms | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
| PHP object injection in the Ajax endpoint of the backend in ForkCMS below version 5.8.3 allows an authenticated remote user to execute malicious code. | |||||