| CVE |
Vendors |
Products |
Updated |
CVSS v3.1 |
| `sqlserver` was a malicious module published with the intent to hijack environment variables. It has been unpublished by npm. |
| `nodefabric` was a malicious module published with the intent to hijack environment variables. It has been unpublished by npm. |
| `fabric-js` was a malicious module published with the intent to hijack environment variables. It has been unpublished by npm. |
| `node-fabric` was a malicious module published with the intent to hijack environment variables. It has been unpublished by npm. |
| `sqliter` was a malicious module published with the intent to hijack environment variables. It has been unpublished by npm. |
| `sqlite.js` was a malicious module published with the intent to hijack environment variables. It has been unpublished by npm. |
| `nodesqlite` was a malicious module published with the intent to hijack environment variables. It has been unpublished by npm. |
| `node-sqlite` was a malicious module published with the intent to hijack environment variables. It has been unpublished by npm. |
| mysqljs was a malicious module published with the intent to hijack environment variables. It has been unpublished by npm. |
| `mariadb` was a malicious module published with the intent to hijack environment variables. It has been unpublished by npm. |
| `jquery.js` was a malicious module published with the intent to hijack environment variables. It has been unpublished by npm. |
| `d3.js` was a malicious module published with the intent to hijack environment variables. It has been unpublished by npm. |
| Any authenticated user (valid client certificate but without ACL permissions) could upload a template which contained malicious code and caused a denial of service via Java deserialization attack. The fix to properly handle Java deserialization was applied on the Apache NiFi 1.4.0 release. Users running a prior 1.x release should upgrade to the appropriate release. |
| In Apache Geode before v1.4.0, the Geode server stores application objects in serialized form. Certain cluster operations and API invocations cause these objects to be deserialized. A user with DATA:WRITE access to the cluster may be able to cause remote code execution if certain classes are present on the classpath. |
| In Apache Geode before v1.4.0, the TcpServer within the Geode locator opens a network port that deserializes data. If an unprivileged user gains access to the Geode locator, they may be able to cause remote code execution if certain classes are present on the classpath. |
| A deserialization flaw was discovered in the jackson-databind in versions before 2.8.10 and 2.9.1, which could allow an unauthenticated user to perform code execution by sending the maliciously crafted input to the readValue method of the ObjectMapper. This issue extends the previous flaw CVE-2017-7525 by blacklisting more classes that could be used maliciously. |
| It was found that the Hotrod client in Infinispan before 9.2.0.CR1 would unsafely read deserialized data on information from the cache. An authenticated attacker could inject a malicious object into the data cache and attain deserialization on the client, and possibly conduct further attacks. |
| In writeToParcel and readFromParcel of OutputConfiguration.java, there is a permission bypass due to mismatched serialization. This could lead to a local escalation of privilege where the user can start an activity with system privileges, with no additional execution privileges needed. User interaction is not needed for exploitation. Product: Android. Versions: 8.0, 8.1. Android ID: A-69683251. |
| A Remote Code Execution vulnerability in HPE intelligent Management Center (iMC) PLAT version IMC Plat 7.3 E0504P2 and earlier was found. |
| A Remote Code Execution vulnerability in HPE intelligent Management Center (iMC) PLAT version IMC Plat 7.3 E0504P2 and earlier was found. |
