Total
1532 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2016-1000031 | 1 Apache | 1 Commons Fileupload | 2024-08-06 | N/A |
| Apache Commons FileUpload before 1.3.3 DiskFileItem File Manipulation Remote Code Execution | ||||
| CVE-2016-10753 | 1 E107 | 1 E107 | 2024-08-06 | N/A |
| e107 2.1.2 allows PHP Object Injection with resultant SQL injection, because usersettings.php uses unserialize without an HMAC. | ||||
| CVE-2016-10750 | 2 Hazelcast, Redhat | 2 Hazelcast, Jboss Fuse | 2024-08-06 | N/A |
| In Hazelcast before 3.11, the cluster join procedure is vulnerable to remote code execution via Java deserialization. If an attacker can reach a listening Hazelcast instance with a crafted JoinRequest, and vulnerable classes exist in the classpath, the attacker can run arbitrary code. | ||||
| CVE-2016-10304 | 1 Sap | 1 Netweaver Application Server Java | 2024-08-06 | 6.5 Medium |
| The SAP EP-RUNTIME component in SAP NetWeaver AS JAVA 7.5 allows remote authenticated users to cause a denial of service (out-of-memory error and service instability) via a crafted serialized Java object, as demonstrated by serial.cc3, aka SAP Security Note 2315788. | ||||
| CVE-2016-9865 | 1 Phpmyadmin | 1 Phpmyadmin | 2024-08-06 | N/A |
| An issue was discovered in phpMyAdmin. Due to a bug in serialized string parsing, it was possible to bypass the protection offered by PMA_safeUnserialize() function. All 4.6.x versions (prior to 4.6.5), 4.4.x versions (prior to 4.4.15.9), and 4.0.x versions (prior to 4.0.10.18) are affected. | ||||
| CVE-2016-9585 | 1 Redhat | 1 Jboss Enterprise Application Platform | 2024-08-06 | N/A |
| Red Hat JBoss EAP version 5 is vulnerable to a deserialization of untrusted data in the JMX endpoint when deserializes the credentials passed to it. An attacker could exploit this vulnerability resulting in a denial of service attack. | ||||
| CVE-2016-9498 | 1 Zohocorp | 1 Manageengine Applications Manager | 2024-08-06 | N/A |
| ManageEngine Applications Manager 12 and 13 before build 13200, allows unserialization of unsafe Java objects. The vulnerability can be exploited by remote user without authentication and it allows to execute remote code compromising the application as well as the operating system. As Application Manager's RMI registry is running with privileges of system administrator, by exploiting this vulnerability an attacker gains highest privileges on the underlying operating system. | ||||
| CVE-2016-9483 | 1 Jqueryform | 1 Php Formmail Generator | 2024-08-06 | N/A |
| The PHP form code generated by PHP FormMail Generator deserializes untrusted input as part of the phpfmg_filman_download() function. A remote unauthenticated attacker may be able to use this vulnerability to inject PHP code, or along with CVE-2016-9484 to perform local file inclusion attacks and obtain files from the server. | ||||
| CVE-2016-9299 | 2 Fedoraproject, Jenkins | 2 Fedora, Jenkins | 2024-08-06 | N/A |
| The remoting module in Jenkins before 2.32 and LTS before 2.19.3 allows remote attackers to execute arbitrary code via a crafted serialized Java object, which triggers an LDAP query to a third-party server. | ||||
| CVE-2016-8749 | 2 Apache, Redhat | 3 Camel, Jboss Amq, Jboss Fuse | 2024-08-06 | N/A |
| Apache Camel's Jackson and JacksonXML unmarshalling operation are vulnerable to Remote Code Execution attacks. | ||||
| CVE-2016-8648 | 1 Redhat | 2 Jboss A-mq, Jboss Fuse | 2024-08-06 | N/A |
| It was found that the Karaf container used by Red Hat JBoss Fuse 6.x, and Red Hat JBoss A-MQ 6.x, deserializes objects passed to MBeans via JMX operations. An attacker could use this flaw to execute remote code on the server as the user running the Java Virtual Machine if the target MBean contain deserialization gadgets in its classpath. | ||||
| CVE-2016-8653 | 1 Redhat | 2 Jboss A-mq, Jboss Fuse | 2024-08-06 | N/A |
| It was found that the JMX endpoint of Red Hat JBoss Fuse 6, and Red Hat A-MQ 6 deserializes the credentials passed to it. An attacker could use this flaw to launch a denial of service attack. | ||||
| CVE-2016-8736 | 1 Apache | 1 Openmeetings | 2024-08-06 | N/A |
| Apache OpenMeetings before 3.1.2 is vulnerable to Remote Code Execution via RMI deserialization attack. | ||||
| CVE-2016-8735 | 6 Apache, Canonical, Debian and 3 more | 19 Tomcat, Ubuntu Linux, Debian Linux and 16 more | 2024-08-06 | 9.8 Critical |
| Remote code execution is possible with Apache Tomcat before 6.0.48, 7.x before 7.0.73, 8.x before 8.0.39, 8.5.x before 8.5.7, and 9.x before 9.0.0.M12 if JmxRemoteLifecycleListener is used and an attacker can reach JMX ports. The issue exists because this listener wasn't updated for consistency with the CVE-2016-3427 Oracle patch that affected credential types. | ||||
| CVE-2016-7124 | 2 Php, Redhat | 2 Php, Rhel Software Collections | 2024-08-06 | N/A |
| ext/standard/var_unserializer.c in PHP before 5.6.25 and 7.x before 7.0.10 mishandles certain invalid objects, which allows remote attackers to cause a denial of service or possibly have unspecified other impact via crafted serialized data that leads to a (1) __destruct call or (2) magic method call. | ||||
| CVE-2016-7050 | 1 Redhat | 5 Enterprise Linux, Enterprise Linux Desktop, Enterprise Linux Hpc Node and 2 more | 2024-08-06 | N/A |
| SerializableProvider in RESTEasy in Red Hat Enterprise Linux Desktop 7, Red Hat Enterprise Linux HPC Node 7, Red Hat Enterprise Linux Server 7, and Red Hat Enterprise Linux Workstation 7 allows remote attackers to execute arbitrary code. | ||||
| CVE-2016-7065 | 1 Redhat | 1 Jboss Enterprise Application Platform | 2024-08-06 | N/A |
| The JMX servlet in Red Hat JBoss Enterprise Application Platform (EAP) 4 and 5 allows remote authenticated users to cause a denial of service and possibly execute arbitrary code via a crafted serialized Java object. | ||||
| CVE-2016-6809 | 1 Apache | 2 Nutch, Tika | 2024-08-06 | 9.8 Critical |
| Apache Tika before 1.14 allows Java code execution for serialized objects embedded in MATLAB files. The issue exists because Tika invokes JMatIO to do native deserialization. | ||||
| CVE-2016-6793 | 1 Apache | 1 Wicket | 2024-08-06 | N/A |
| The DiskFileItem class in Apache Wicket 6.x before 6.25.0 and 1.5.x before 1.5.17 allows remote attackers to cause a denial of service (infinite loop) and write to, move, and delete files with the permissions of DiskFileItem, and if running on a Java VM before 1.3.1, execute arbitrary code via a crafted serialized Java object. | ||||
| CVE-2016-6620 | 1 Phpmyadmin | 1 Phpmyadmin | 2024-08-06 | N/A |
| An issue was discovered in phpMyAdmin. Some data is passed to the PHP unserialize() function without verification that it's valid serialized data. The unserialization can result in code execution because of the interaction with object instantiation and autoloading. All 4.6.x versions (prior to 4.6.4), 4.4.x versions (prior to 4.4.15.8), and 4.0.x versions (prior to 4.0.10.17) are affected. | ||||