Vulnerabilities (CVE)

Filtered by CWE-502
Total 1479 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2024-10456 2024-11-01 N/A 9.8 CRITICAL
Delta Electronics InfraSuite Device Master versions prior to 1.0.12 are affected by a deserialization vulnerability that targets the Device-Gateway, which could allow deserialization of arbitrary .NET objects prior to authentication.
CVE-2024-48112 2024-11-01 N/A 9.8 CRITICAL
A deserialization vulnerability in the component \controller\Index.php of Thinkphp v6.1.3 to v8.0.4 allows attackers to execute arbitrary code.
CVE-2021-4451 1 Nintechnet 1 Ninjafirewall 2024-10-30 N/A 7.2 HIGH
The NinjaFirewall plugin for WordPress is vulnerable to Authenticated PHAR Deserialization in versions up to, and including, 4.3.3. This allows authenticated attackers to perform phar deserialization on the server. This deserialization can allow other plugin or theme exploits if vulnerable software is present (WordPress, and NinjaFirewall).
CVE-2024-50416 1 Wpclever 1 Wpc Shop As A Customer For Woocommerce 2024-10-29 N/A 8.8 HIGH
Deserialization of Untrusted Data vulnerability in WPClever WPC Shop as a Customer for WooCommerce allows Object Injection.This issue affects WPC Shop as a Customer for WooCommerce: from n/a through 1.2.6.
CVE-2024-50408 1 Kibokolabs 1 Namaste\! Lms 2024-10-29 N/A 8.8 HIGH
Deserialization of Untrusted Data vulnerability in Kiboko Labs Namaste! LMS allows Object Injection.This issue affects Namaste! LMS: from n/a through 2.6.3.
CVE-2024-49684 2024-10-25 N/A 7.2 HIGH
Deserialization of Untrusted Data vulnerability in Revmakx Backup and Staging by WP Time Capsule allows Object Injection.This issue affects Backup and Staging by WP Time Capsule: from n/a through 1.22.21.
CVE-2024-49332 1 Giveawayboost 1 Giveaway Boost 2024-10-24 N/A 9.8 CRITICAL
Deserialization of Untrusted Data vulnerability in Giveaway Boost allows Object Injection.This issue affects Giveaway Boost: from n/a through 2.1.4.
CVE-2024-49625 1 Brandonclark 1 Sitebuilder Dynamic Components 2024-10-24 N/A 9.8 CRITICAL
Deserialization of Untrusted Data vulnerability in Brandon Clark SiteBuilder Dynamic Components allows Object Injection.This issue affects SiteBuilder Dynamic Components: from n/a through 1.0.
CVE-2024-49624 1 Smartdevth 1 Advanced Advertising System 2024-10-24 N/A 9.8 CRITICAL
Deserialization of Untrusted Data vulnerability in Smartdevth Advanced Advertising System allows Object Injection.This issue affects Advanced Advertising System: from n/a through 1.3.1.
CVE-2024-49626 1 Piyushmca 1 Shipyaari Shipping Management 2024-10-23 N/A 9.8 CRITICAL
Deserialization of Untrusted Data vulnerability in Piyushmca Shipyaari Shipping Management allows Object Injection.This issue affects Shipyaari Shipping Management: from n/a through 1.2.
CVE-2024-10079 1 Newsignature 1 Wp Easy Post Types 2024-10-22 N/A 8.8 HIGH
The WP Easy Post Types plugin for WordPress is vulnerable to PHP Object Injection in versions up to, and including, 1.4.4 via deserialization of untrusted input from the 'text' parameter in the 'ajax_import_content' function. This allows authenticated attackers, with subscriber-level permissions and above, to inject a PHP Object. No POP chain is present in the vulnerable plugin. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code.
CVE-2024-9917 1 Usualtool 1 Usualtoolcms 2024-10-19 6.5 MEDIUM 4.9 MEDIUM
A vulnerability, which was classified as critical, was found in HuangDou UTCMS V9. This affects an unknown part of the file app/modules/ut-template/admin/template_creat.php. The manipulation of the argument content leads to deserialization. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
CVE-2024-47836 2024-10-18 N/A 3.5 LOW
Admidio is an open-source user management solution. Prior to version 4.3.12, an unsafe deserialization vulnerability allows any unauthenticated user to execute arbitrary code on the server. Version 4.3.12 fixes this issue.
CVE-2024-49318 2024-10-18 N/A 9.8 CRITICAL
Deserialization of Untrusted Data vulnerability in Scott Olson My Reading Library allows Object Injection.This issue affects My Reading Library: from n/a through 1.0.
CVE-2024-9953 1 Cert 1 Vince 2024-10-17 N/A 4.9 MEDIUM
A potential denial-of-service (DoS) vulnerability exists in CERT VINCE software versions prior to 3.0.8. An authenticated administrative user can inject an arbitrary pickle object into a user’s profile, which may lead to a DoS condition when the profile is accessed. While the Django server restricts unpickling to prevent server crashes, this vulnerability could still disrupt operations.
CVE-2024-45733 2 Microsoft, Splunk 2 Windows, Splunk 2024-10-16 N/A 8.8 HIGH
In Splunk Enterprise for Windows versions below 9.2.3 and 9.1.6, a low-privileged user that does not hold the "admin" or "power" Splunk roles could perform a Remote Code Execution (RCE) due to an insecure session storage configuration.
CVE-2024-49226 2024-10-16 N/A 8.8 HIGH
Deserialization of Untrusted Data vulnerability in TAKETIN TAKETIN To WP Membership allows Object Injection.This issue affects TAKETIN To WP Membership: from n/a through 2.8.0.
CVE-2024-48030 2024-10-16 N/A 9.8 CRITICAL
Deserialization of Untrusted Data vulnerability in Gabriele Valenti Telecash Ricaricaweb allows Object Injection.This issue affects Telecash Ricaricaweb: from n/a through 2.2.
CVE-2024-49227 2024-10-16 N/A 8.8 HIGH
Deserialization of Untrusted Data vulnerability in Innovaweb Sp. Z o.O. Free Stock Photos Foter allows Object Injection.This issue affects Free Stock Photos Foter: from n/a through 1.5.4.
CVE-2024-49218 2024-10-16 N/A 9.8 CRITICAL
Deserialization of Untrusted Data vulnerability in Al Imran Akash Recently allows Object Injection.This issue affects Recently: from n/a through 1.1.