Total
1532 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2019-17571 | 7 Apache, Canonical, Debian and 4 more | 26 Bookkeeper, Log4j, Ubuntu Linux and 23 more | 2024-08-05 | 9.8 Critical |
| Included in Log4j 1.2 is a SocketServer class that is vulnerable to deserialization of untrusted data which can be exploited to remotely execute arbitrary code when combined with a deserialization gadget when listening to untrusted network traffic for log data. This affects Log4j versions up to 1.2 up to 1.2.17. | ||||
| CVE-2019-17556 | 1 Apache | 1 Olingo | 2024-08-05 | 9.8 Critical |
| Apache Olingo versions 4.0.0 to 4.6.0 provide the AbstractService class, which is public API, uses ObjectInputStream and doesn't check classes being deserialized. If an attacker can feed malicious metadata to the class, then it may result in running attacker's code in the worse case. | ||||
| CVE-2019-17358 | 3 Cacti, Debian, Opensuse | 3 Cacti, Debian Linux, Leap | 2024-08-05 | 8.1 High |
| Cacti through 1.2.7 is affected by multiple instances of lib/functions.php unsafe deserialization of user-controlled data to populate arrays. An authenticated attacker could use this to influence object data values and control actions taken by Cacti or potentially cause memory corruption in the PHP module. | ||||
| CVE-2019-17267 | 5 Debian, Fasterxml, Netapp and 2 more | 21 Debian Linux, Jackson-databind, Active Iq Unified Manager and 18 more | 2024-08-05 | 9.8 Critical |
| A Polymorphic Typing issue was discovered in FasterXML jackson-databind before 2.9.10. It is related to net.sf.ehcache.hibernate.EhcacheJtaTransactionManagerLookup. | ||||
| CVE-2019-17080 | 1 Linuxmint | 1 Mintinstall | 2024-08-05 | 7.8 High |
| mintinstall (aka Software Manager) 7.9.9 for Linux Mint allows code execution if a REVIEWS_CACHE file is controlled by an attacker, because an unpickle occurs. This is resolved in 8.0.0 and backports. | ||||
| CVE-2019-17206 | 1 Redis Wrapper Project | 1 Redis Wrapper | 2024-08-05 | 9.8 Critical |
| Uncontrolled deserialization of a pickled object in models.py in Frost Ming rediswrapper (aka Redis Wrapper) before 0.3.0 allows attackers to execute arbitrary scripts. | ||||
| CVE-2019-17076 | 1 Jamf | 1 Jamf | 2024-08-05 | 9.8 Critical |
| An issue was discovered in Jamf Pro 9.x and 10.x before 10.15.1. Deserialization of untrusted data when parsing JSON in several APIs may cause Denial of Service (DoS), remote code execution (RCE), and/or deletion of files on the Jamf Pro server. | ||||
| CVE-2019-16755 | 1 Bmc | 1 Myit Digital Workplace | 2024-08-05 | 9.8 Critical |
| BMC Remedy ITSM Suite is prone to unspecified vulnerabilities in both DWP and SmartIT components, which can permit remote attackers to perform pre-authenticated remote commands execution on the Operating System running the targeted application. Affected DWP versions: versions: 3.x to 18.x, all versions, service packs, and patches are affected by this vulnerability. Affected SmartIT versions: 1.x, 2.0, 18.05, 18.08, and 19.02, all versions, service packs, and patches are affected by this vulnerability. | ||||
| CVE-2019-16891 | 1 Liferay | 1 Liferay Portal | 2024-08-05 | 9.8 Critical |
| Liferay Portal CE 6.2.5 allows remote command execution because of deserialization of a JSON payload. | ||||
| CVE-2019-16942 | 6 Debian, Fasterxml, Fedoraproject and 3 more | 37 Debian Linux, Jackson-databind, Fedora and 34 more | 2024-08-05 | 9.8 Critical |
| A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.10. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the commons-dbcp (1.4) jar in the classpath, and an attacker can find an RMI service endpoint to access, it is possible to make the service execute a malicious payload. This issue exists because of org.apache.commons.dbcp.datasources.SharedPoolDataSource and org.apache.commons.dbcp.datasources.PerUserPoolDataSource mishandling. | ||||
| CVE-2019-16943 | 6 Debian, Fasterxml, Fedoraproject and 3 more | 36 Debian Linux, Jackson-databind, Fedora and 33 more | 2024-08-05 | 9.8 Critical |
| A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.10. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the p6spy (3.8.6) jar in the classpath, and an attacker can find an RMI service endpoint to access, it is possible to make the service execute a malicious payload. This issue exists because of com.p6spy.engine.spy.P6DataSource mishandling. | ||||
| CVE-2019-16894 | 1 Inoideas | 1 Inoerp | 2024-08-05 | 9.8 Critical |
| download.php in inoERP 4.15 allows SQL injection through insecure deserialization. | ||||
| CVE-2019-16774 | 1 Phpfastcache | 1 Phpfastcache | 2024-08-05 | 4.4 Medium |
| In phpfastcache before 5.1.3, there is a possible object injection vulnerability in cookie driver. | ||||
| CVE-2019-16335 | 6 Debian, Fasterxml, Fedoraproject and 3 more | 26 Debian Linux, Jackson-databind, Fedora and 23 more | 2024-08-05 | 9.8 Critical |
| A Polymorphic Typing issue was discovered in FasterXML jackson-databind before 2.9.10. It is related to com.zaxxer.hikari.HikariDataSource. This is a different vulnerability than CVE-2019-14540. | ||||
| CVE-2019-16317 | 1 Pimcore | 1 Pimcore | 2024-08-05 | 8.8 High |
| In Pimcore before 5.7.1, an attacker with limited privileges can trigger execution of a .phar file via a phar:// URL in a filename parameter, because PHAR uploads are not blocked and are reachable within the phar://../../../../../../../../var/www/html/web/var/assets/ directory, a different vulnerability than CVE-2019-10867 and CVE-2019-16318. | ||||
| CVE-2019-16112 | 1 Tylertech | 1 Eagle | 2024-08-05 | 8.8 High |
| TylerTech Eagle 2018.3.11 deserializes untrusted user input, resulting in remote code execution via a crafted Java object to the recorder/ServiceManager?service=tyler.empire.settings.SettingManager URI. | ||||
| CVE-2019-15780 | 1 Strategy11 | 1 Formidable Form Builder | 2024-08-05 | 9.8 Critical |
| The formidable plugin before 4.02.01 for WordPress has unsafe deserialization. | ||||
| CVE-2019-15521 | 2 Fork-cms, Spoon-library | 2 Fork Cms, Spoon Library | 2024-08-05 | N/A |
| Spoon Library through 2014-02-06, as used in Fork CMS before 1.4.1 and other products, allows PHP object injection via a cookie containing an object. | ||||
| CVE-2019-15321 | 1 Optiontree Project | 1 Optiontree | 2024-08-05 | N/A |
| The option-tree plugin before 2.7.3 for WordPress has Object Injection because serialized classes are mishandled. | ||||
| CVE-2019-15319 | 1 Optiontree Project | 1 Optiontree | 2024-08-05 | N/A |
| The option-tree plugin before 2.7.0 for WordPress has Object Injection by leveraging a valid nonce. | ||||