Vulnerabilities (CVE)

Filtered by CWE-502
Total 1479 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2017-1000148 1 Mahara 1 Mahara 2024-11-21 6.5 MEDIUM 8.8 HIGH
Mahara 15.04 before 15.04.8 and 15.10 before 15.10.4 and 16.04 before 16.04.2 are vulnerable to PHP code execution as Mahara would pass portions of the XML through the PHP "unserialize()" function when importing a skin from an XML file.
CVE-2017-1000053 1 Plug Project 1 Plug 2024-11-21 6.8 MEDIUM 8.1 HIGH
Elixir Plug before v1.0.4, v1.1.7, v1.2.3 and v1.3.2 is vulnerable to arbitrary code execution in the deserialization functions of Plug.Session.
CVE-2017-1000034 1 Akka 1 Akka 2024-11-21 9.3 HIGH 8.1 HIGH
Akka versions <=2.4.16 and 2.5-M1 are vulnerable to a java deserialization attack in its Remoting component resulting in remote code execution in the context of the ActorSystem.
CVE-2017-0903 4 Canonical, Debian, Redhat and 1 more 9 Ubuntu Linux, Debian Linux, Enterprise Linux Desktop and 6 more 2024-11-21 7.5 HIGH 9.8 CRITICAL
RubyGems versions between 2.0.0 and 2.6.13 are vulnerable to a possible remote code execution vulnerability. YAML deserialization of gem specifications can bypass class white lists. Specially crafted serialized objects can possibly be used to escalate to remote code execution.
CVE-2017-0806 1 Google 1 Android 2024-11-21 9.3 HIGH 7.8 HIGH
An elevation of privilege vulnerability in the Android framework (gatekeeperresponse). Product: Android. Versions: 6.0, 6.0.1, 7.0, 7.1.1, 7.1.2, 8.0. Android ID: A-62998805.
CVE-2016-9865 1 Phpmyadmin 1 Phpmyadmin 2024-11-21 7.5 HIGH 9.8 CRITICAL
An issue was discovered in phpMyAdmin. Due to a bug in serialized string parsing, it was possible to bypass the protection offered by PMA_safeUnserialize() function. All 4.6.x versions (prior to 4.6.5), 4.4.x versions (prior to 4.4.15.9), and 4.0.x versions (prior to 4.0.10.18) are affected.
CVE-2016-9585 1 Redhat 1 Jboss Enterprise Application Platform 2024-11-21 2.6 LOW 5.3 MEDIUM
Red Hat JBoss EAP version 5 is vulnerable to a deserialization of untrusted data in the JMX endpoint when deserializes the credentials passed to it. An attacker could exploit this vulnerability resulting in a denial of service attack.
CVE-2016-9498 1 Zohocorp 1 Manageengine Applications Manager 2024-11-21 10.0 HIGH 9.8 CRITICAL
ManageEngine Applications Manager 12 and 13 before build 13200, allows unserialization of unsafe Java objects. The vulnerability can be exploited by remote user without authentication and it allows to execute remote code compromising the application as well as the operating system. As Application Manager's RMI registry is running with privileges of system administrator, by exploiting this vulnerability an attacker gains highest privileges on the underlying operating system.
CVE-2016-9483 1 Jqueryform 1 Php Formmail Generator 2024-11-21 7.5 HIGH 9.8 CRITICAL
The PHP form code generated by PHP FormMail Generator deserializes untrusted input as part of the phpfmg_filman_download() function. A remote unauthenticated attacker may be able to use this vulnerability to inject PHP code, or along with CVE-2016-9484 to perform local file inclusion attacks and obtain files from the server.
CVE-2016-9045 1 Processmaker 1 Processmaker 2024-11-21 6.5 MEDIUM 8.8 HIGH
A code execution vulnerability exists in ProcessMaker Enterprise Core 3.0.1.7-community. A specially crafted web request can cause unsafe deserialization potentially resulting in PHP code being executed. An attacker can send a crafted web parameter to trigger this vulnerability.
CVE-2016-8749 1 Apache 1 Camel 2024-11-21 7.5 HIGH 9.8 CRITICAL
Apache Camel's Jackson and JacksonXML unmarshalling operation are vulnerable to Remote Code Execution attacks.
CVE-2016-8744 1 Apache 1 Brooklyn 2024-11-21 9.0 HIGH 8.8 HIGH
Apache Brooklyn uses the SnakeYAML library for parsing YAML inputs. SnakeYAML allows the use of YAML tags to indicate that SnakeYAML should unmarshal data to a Java type. In the default configuration in Brooklyn before 0.10.0, SnakeYAML will allow unmarshalling to any Java type available on the classpath. This could provide an authenticated user with a means to cause the JVM running Brooklyn to load and run Java code without detection by Brooklyn. Such code would have the privileges of the Java process running Brooklyn, including the ability to open files and network connections, and execute system commands. There is known to be a proof-of-concept exploit using this vulnerability.
CVE-2016-8736 1 Apache 1 Openmeetings 2024-11-21 7.5 HIGH 9.8 CRITICAL
Apache OpenMeetings before 3.1.2 is vulnerable to Remote Code Execution via RMI deserialization attack.
CVE-2016-8653 1 Redhat 2 Jboss A-mq, Jboss Fuse 2024-11-21 5.0 MEDIUM 5.3 MEDIUM
It was found that the JMX endpoint of Red Hat JBoss Fuse 6, and Red Hat A-MQ 6 deserializes the credentials passed to it. An attacker could use this flaw to launch a denial of service attack.
CVE-2016-8648 1 Redhat 2 Jboss A-mq, Jboss Fuse 2024-11-21 6.5 MEDIUM 7.2 HIGH
It was found that the Karaf container used by Red Hat JBoss Fuse 6.x, and Red Hat JBoss A-MQ 6.x, deserializes objects passed to MBeans via JMX operations. An attacker could use this flaw to execute remote code on the server as the user running the Java Virtual Machine if the target MBean contain deserialization gadgets in its classpath.
CVE-2016-8519 1 Hp 1 Operations Orchestration 2024-11-21 10.0 HIGH 9.8 CRITICAL
A remote code execution vulnerability in HPE Operations Orchestration Community edition and Enterprise edition prior to v10.70 was found.
CVE-2016-8511 1 Hp 1 Network Automation 2024-11-21 7.5 HIGH 9.8 CRITICAL
A Remote Code Execution vulnerability in HPE Network Automation using RPCServlet and Java Deserialization version v9.1x, v9.2x, v10.00, v10.00.01, v10.00.02, v10.10, v10.11, v10.11.01, v10.20 was found.
CVE-2016-7124 1 Php 1 Php 2024-11-21 7.5 HIGH 9.8 CRITICAL
ext/standard/var_unserializer.c in PHP before 5.6.25 and 7.x before 7.0.10 mishandles certain invalid objects, which allows remote attackers to cause a denial of service or possibly have unspecified other impact via crafted serialized data that leads to a (1) __destruct call or (2) magic method call.
CVE-2016-7065 1 Redhat 1 Jboss Enterprise Application Platform 2024-11-21 6.5 MEDIUM 8.8 HIGH
The JMX servlet in Red Hat JBoss Enterprise Application Platform (EAP) 4 and 5 allows remote authenticated users to cause a denial of service and possibly execute arbitrary code via a crafted serialized Java object.
CVE-2016-7050 1 Redhat 4 Enterprise Linux Desktop, Enterprise Linux Hpc Node, Enterprise Linux Server and 1 more 2024-11-21 7.5 HIGH 9.8 CRITICAL
SerializableProvider in RESTEasy in Red Hat Enterprise Linux Desktop 7, Red Hat Enterprise Linux HPC Node 7, Red Hat Enterprise Linux Server 7, and Red Hat Enterprise Linux Workstation 7 allows remote attackers to execute arbitrary code.