Total
1526 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2023-46227 | 1 Apache | 1 Inlong | 2024-09-12 | 7.5 High |
| Deserialization of Untrusted Data Vulnerability in Apache Software Foundation Apache InLong. This issue affects Apache InLong: from 1.4.0 through 1.8.0, the attacker can use \t to bypass. Users are advised to upgrade to Apache InLong's 1.9.0 or cherry-pick [1] to solve it. [1] https://github.com/apache/inlong/pull/8814 | ||||
| CVE-2023-35180 | 1 Solarwinds | 1 Access Rights Manager | 2024-09-12 | 8 High |
| The SolarWinds Access Rights Manager was susceptible to Remote Code Execution Vulnerability. This vulnerability allows authenticated users to abuse SolarWinds ARM API. | ||||
| CVE-2023-35182 | 1 Solarwinds | 1 Access Rights Manager | 2024-09-12 | 8.8 High |
| The SolarWinds Access Rights Manager was susceptible to Remote Code Execution Vulnerability. This vulnerability can be abused by unauthenticated users on SolarWinds ARM Server. | ||||
| CVE-2023-35184 | 1 Solarwinds | 1 Access Rights Manager | 2024-09-12 | 8.8 High |
| The SolarWinds Access Rights Manager was susceptible to Remote Code Execution Vulnerability. This vulnerability allows an unauthenticated user to abuse a SolarWinds service resulting in a remote code execution. | ||||
| CVE-2023-35186 | 1 Solarwinds | 1 Access Rights Manager | 2024-09-12 | 8 High |
| The SolarWinds Access Rights Manager was susceptible to Remote Code Execution Vulnerability. This vulnerability allows an authenticated user to abuse SolarWinds service resulting in remote code execution. | ||||
| CVE-2024-45857 | 1 Cleanlab | 1 Cleanlab | 2024-09-12 | 7.8 High |
| Deserialization of untrusted data can occur in versions 2.4.0 or newer of the Cleanlab project, enabling a maliciously crafted datalab.pkl file to run arbitrary code on an end user’s system when the data directory is loaded. | ||||
| CVE-2023-34050 | 2 Redhat, Vmware | 2 Amq Clients, Spring Advanced Message Queuing Protocol | 2024-09-12 | 5 Medium |
| In spring AMQP versions 1.0.0 to 2.4.16 and 3.0.0 to 3.0.9 , allowed list patterns for deserializable class names were added to Spring AMQP, allowing users to lock down deserialization of data in messages from untrusted sources; however by default, when no allowed list was provided, all classes could be deserialized. Specifically, an application is vulnerable if * the SimpleMessageConverter or SerializerMessageConverter is used * the user does not configure allowed list patterns * untrusted message originators gain permissions to write messages to the RabbitMQ broker to send malicious content | ||||
| CVE-2023-39680 | 1 Sollace | 1 Unicopia | 2024-09-12 | 7.5 High |
| Sollace Unicopia version 1.1.1 and before was discovered to deserialize untrusted data, allowing attackers to execute arbitrary code. | ||||
| CVE-2023-34052 | 1 Vmware | 1 Aria Operations For Logs | 2024-09-12 | 7.8 High |
| VMware Aria Operations for Logs contains a deserialization vulnerability. A malicious actor with non-administrative access to the local system can trigger the deserialization of data which could result in authentication bypass. | ||||
| CVE-2024-28074 | 1 Solarwinds | 1 Access Rights Manager | 2024-09-10 | 9.6 Critical |
| It was discovered that a previous vulnerability was not completely fixed with SolarWinds Access Rights Manager. While some controls were implemented the researcher was able to bypass these and use a different method to exploit the vulnerability. | ||||
| CVE-2023-37227 | 1 Loftware | 1 Spectrum | 2024-09-10 | 9.8 Critical |
| Loftware Spectrum before 4.6 HF13 Deserializes Untrusted Data. | ||||
| CVE-2022-34268 | 1 Rws | 1 Worldserver | 2024-09-09 | 9.8 Critical |
| An issue was discovered in RWS WorldServer before 11.7.3. /clientLogin deserializes Java objects without authentication, leading to command execution on the host. | ||||
| CVE-2023-40121 | 1 Google | 1 Android | 2024-09-09 | 5.5 Medium |
| In appendEscapedSQLString of DatabaseUtils.java, there is a possible SQL injection due to unsafe deserialization. This could lead to local information disclosure with User execution privileges needed. User interaction is not needed for exploitation. | ||||
| CVE-2024-8255 | 1 Deltaww | 2 Dtn Soft, Dtnsoft | 2024-09-06 | 9.8 Critical |
| Delta Electronics DTN Soft version 2.0.1 and prior are vulnerable to an attacker achieving remote code execution through a deserialization of untrusted data vulnerability. | ||||
| CVE-2024-45758 | 1 H2oai | 1 H2o-3 | 2024-09-06 | 9.1 Critical |
| H2O.ai H2O through 3.46.0.4 allows attackers to arbitrarily set the JDBC URL, leading to deserialization attacks, file reads, and command execution. Exploitation can occur when an attacker has access to post to the ImportSQLTable URI with a JSON document containing a connection_url property with any typical JDBC Connection URL attack payload such as one that uses queryInterceptors. | ||||
| CVE-2024-43242 | 2 Azzaroco, Wpindeed | 2 Ultimate Membership Pro, Ultimate Membership Pro | 2024-09-06 | 9 Critical |
| Deserialization of Untrusted Data vulnerability in azzaroco Ultimate Membership Pro allows Object Injection.This issue affects Ultimate Membership Pro: from n/a through 12.6. | ||||
| CVE-2023-51785 | 1 Apache | 1 Inlong | 2024-09-06 | 7.5 High |
| Deserialization of Untrusted Data vulnerability in Apache InLong.This issue affects Apache InLong: from 1.7.0 through 1.9.0, the attackers can make a arbitrary file read attack using mysql driver. Users are advised to upgrade to Apache InLong's 1.10.0 or cherry-pick [1] to solve it. [1] https://github.com/apache/inlong/pull/9331 | ||||
| CVE-2023-47204 | 1 Toumorokoshi | 1 Transmute-core | 2024-09-06 | 9.8 Critical |
| Unsafe YAML deserialization in yaml.Loader in transmute-core before 1.13.5 allows attackers to execute arbitrary Python code. | ||||
| CVE-2023-46817 | 1 Phpfox | 1 Phpfox | 2024-09-06 | 9.8 Critical |
| An issue was discovered in phpFox before 4.8.14. The url request parameter passed to the /core/redirect route is not properly sanitized before being used in a call to the unserialize() PHP function. This can be exploited by remote, unauthenticated attackers to inject arbitrary PHP objects into the application scope, allowing them to perform a variety of attacks, such as executing arbitrary PHP code. | ||||
| CVE-2023-1714 | 1 Bitrix24 | 1 Bitrix24 | 2024-09-05 | 8.8 High |
| Unsafe variable extraction in bitrix/modules/main/classes/general/user_options.php in Bitrix24 22.0.300 allows remote authenticated attackers to execute arbitrary code via (1) appending arbitrary content to existing PHP files or (2) PHAR deserialization. | ||||