Total
1532 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2019-9874 | 1 Sitecore | 2 Cms, Experience Platform | 2024-08-04 | N/A |
| Deserialization of Untrusted Data in the Sitecore.Security.AntiCSRF (aka anti CSRF) module in Sitecore CMS 7.0 to 7.2 and Sitecore XP 7.5 to 8.2 allows an unauthenticated attacker to execute arbitrary code by sending a serialized .NET object in the HTTP POST parameter __CSRFTOKEN. | ||||
| CVE-2019-9875 | 1 Sitecore | 1 Cms | 2024-08-04 | N/A |
| Deserialization of Untrusted Data in the anti CSRF module in Sitecore through 9.1 allows an authenticated attacker to execute arbitrary code by sending a serialized .NET object in an HTTP POST parameter. | ||||
| CVE-2019-9373 | 1 Google | 1 Android | 2024-08-04 | 5.5 Medium |
| In JobStore, there is a mismatched serialization/deserialization for the "battery-not-low" job attribute. This could lead to a local denial of service with no additional execution privileges needed. User interaction is not needed for exploitation. Product: AndroidVersions: Android-10Android ID: A-130173029 | ||||
| CVE-2019-9365 | 1 Google | 1 Android | 2024-08-04 | 9.8 Critical |
| In Bluetooth, there is a possible deserialization error due to missing string validation. This could lead to remote code execution with no additional execution privileges needed. User interaction is not needed for exploitation. Product: AndroidVersions: Android-10Android ID: A-109838537 | ||||
| CVE-2019-9061 | 1 Cmsmadesimple | 1 Cms Made Simple | 2024-08-04 | 8.8 High |
| An issue was discovered in CMS Made Simple 2.2.8. In the module ModuleManager (in the file action.installmodule.php), it is possible to reach an unserialize call with untrusted input and achieve authenticated object injection by using the "install module" feature. | ||||
| CVE-2019-9056 | 1 Cmsmadesimple | 1 Cms Made Simple | 2024-08-04 | N/A |
| An issue was discovered in CMS Made Simple 2.2.8. In the module FrontEndUsers (in the file class.FrontEndUsersManipulate.php or class.FrontEndUsersManipulator.php), it is possible to reach an unserialize call with an untrusted __FEU__ cookie, and achieve authenticated object injection. | ||||
| CVE-2019-9057 | 1 Cmsmadesimple | 1 Cms Made Simple | 2024-08-04 | 8.8 High |
| An issue was discovered in CMS Made Simple 2.2.8. In the module FilePicker, it is possible to reach an unserialize call with an untrusted parameter, and achieve authenticated object injection. | ||||
| CVE-2019-9055 | 1 Cmsmadesimple | 1 Cms Made Simple | 2024-08-04 | N/A |
| An issue was discovered in CMS Made Simple 2.2.8. In the module DesignManager (in the files action.admin_bulk_css.php and action.admin_bulk_template.php), with an unprivileged user with Designer permission, it is possible reach an unserialize call with a crafted value in the m1_allparms parameter, and achieve object injection. | ||||
| CVE-2019-8662 | 1 Apple | 4 Iphone Os, Mac Os X, Tvos and 1 more | 2024-08-04 | 9.8 Critical |
| This issue was addressed with improved checks. This issue is fixed in iOS 12.4, macOS Mojave 10.14.6, tvOS 12.4, watchOS 5.3. An attacker may be able to trigger a use-after-free in an application deserializing an untrusted NSDictionary. | ||||
| CVE-2019-6446 | 3 Fedoraproject, Numpy, Redhat | 3 Fedora, Numpy, Enterprise Linux | 2024-08-04 | N/A |
| An issue was discovered in NumPy 1.16.0 and earlier. It uses the pickle Python module unsafely, which allows remote attackers to execute arbitrary code via a crafted serialized object, as demonstrated by a numpy.load call. NOTE: third parties dispute this issue because it is a behavior that might have legitimate applications in (for example) loading serialized Python object arrays from trusted and authenticated sources | ||||
| CVE-2019-8141 | 1 Magento | 1 Magento | 2024-08-04 | 7.2 High |
| A remote code execution vulnerability exists in Magento 2.1 prior to 2.1.19, Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3. An authenticated user with administrative privileges (system level import) can execute arbitrary code through a Phar deserialization vulnerability in the import functionality. | ||||
| CVE-2019-7840 | 1 Adobe | 1 Coldfusion | 2024-08-04 | N/A |
| ColdFusion versions Update 3 and earlier, Update 10 and earlier, and Update 18 and earlier have a deserialization of untrusted data vulnerability. Successful exploitation could lead to arbitrary code execution. | ||||
| CVE-2019-7743 | 1 Joomla | 1 Joomla\! | 2024-08-04 | N/A |
| An issue was discovered in Joomla! before 3.9.3. The phar:// stream wrapper can be used for objection injection attacks because there is no protection mechanism (such as the TYPO3 PHAR stream wrapper) to prevent use of the phar:// handler for non .phar-files. | ||||
| CVE-2019-7725 | 1 Nukeviet | 1 Nukeviet | 2024-08-04 | 9.8 Critical |
| includes/core/is_user.php in NukeViet before 4.3.04 deserializes the untrusted nvloginhash cookie (i.e., the code relies on PHP's serialization format when JSON can be used to eliminate the risk). | ||||
| CVE-2019-7539 | 1 Ipycache Project | 1 Ipycache | 2024-08-04 | N/A |
| A code injection issue was discovered in ipycache through 2016-05-31. | ||||
| CVE-2019-7361 | 1 Autodesk | 11 Advance Steel, Autocad, Autocad Architecture and 8 more | 2024-08-04 | N/A |
| An attacker may convince a victim to open a malicious action micro (.actm) file that has serialized data, which may trigger a code execution in Autodesk Advance Steel 2018, Autodesk AutoCAD 2018, Autodesk AutoCAD Architecture 2018, Autodesk AutoCAD Electrical 2018, Autodesk AutoCAD Map 3D 2018, Autodesk AutoCAD Mechanical 2018, Autodesk AutoCAD MEP 2018, Autodesk AutoCAD P&ID 2018, Autodesk AutoCAD Plant 3D 2018, Autodesk AutoCAD LT 2018, and Autodesk Civil 3D 2018. | ||||
| CVE-2019-7214 | 1 Smartertools | 1 Smartermail | 2024-08-04 | N/A |
| SmarterTools SmarterMail 16.x before build 6985 allows deserialization of untrusted data. An unauthenticated attacker could run commands on the server when port 17001 was remotely accessible. This port is not accessible remotely by default after applying the Build 6985 patch. | ||||
| CVE-2019-6980 | 1 Synacor | 1 Zimbra Collaboration Suite | 2024-08-04 | N/A |
| Synacor Zimbra Collaboration Suite 8.7.x through 8.8.11 allows insecure object deserialization in the IMAP component. | ||||
| CVE-2019-7091 | 1 Adobe | 1 Coldfusion | 2024-08-04 | N/A |
| ColdFusion versions Update 1 and earlier, Update 7 and earlier, and Update 15 and earlier have a deserialization of untrusted data vulnerability. Successful exploitation could lead to arbitrary code execution. | ||||
| CVE-2019-6834 | 1 Schneider-electric | 1 Software Update | 2024-08-04 | 7.3 High |
| A CWE-502: Deserialization of Untrusted Data vulnerability exists which could allow an attacker to execute arbitrary code on the targeted system with SYSTEM privileges when placing a malicious user to be authenticated for this vulnerability to be successfully exploited. Affected Product: Schneider Electric Software Update (SESU) SUT Service component (V2.1.1 to V2.3.0) | ||||