Total
1532 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2020-11619 | 5 Debian, Fasterxml, Netapp and 2 more | 31 Debian Linux, Jackson-databind, Active Iq Unified Manager and 28 more | 2024-08-04 | 8.1 High |
| FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.springframework.aop.config.MethodLocatingFactoryBean (aka spring-aop). | ||||
| CVE-2020-11467 | 1 Deskpro | 1 Deskpro | 2024-08-04 | 7.2 High |
| An issue was discovered in Deskpro before 2019.8.0. This product enables administrators to modify the helpdesk interface by editing /portal/api/style/edit-theme-set/template-sources theme templates, and uses TWIG as its template engine. While direct access to self and _self variables was not permitted, one could abuse the accessible variables in one's context to reach a native unserialize function via the code parameter. There, on could pass a crafted payload to trigger a set of POP gadgets in order to achieve remote code execution. | ||||
| CVE-2020-11067 | 1 Typo3 | 1 Typo3 | 2024-08-04 | 8.8 High |
| In TYPO3 CMS 9.0.0 through 9.5.16 and 10.0.0 through 10.4.1, it has been discovered that backend user settings (in $BE_USER->uc) are vulnerable to insecure deserialization. In combination with vulnerabilities of third party components, this can lead to remote code execution. A valid backend user account is needed to exploit this vulnerability. This has been fixed in 9.5.17 and 10.4.2. | ||||
| CVE-2020-11112 | 5 Debian, Fasterxml, Netapp and 2 more | 39 Debian Linux, Jackson-databind, Steelstore Cloud Integrated Storage and 36 more | 2024-08-04 | 8.8 High |
| FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.commons.proxy.provider.remoting.RmiProvider (aka apache/commons-proxy). | ||||
| CVE-2020-11113 | 5 Debian, Fasterxml, Netapp and 2 more | 41 Debian Linux, Jackson-databind, Steelstore Cloud Integrated Storage and 38 more | 2024-08-04 | 8.8 High |
| FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.openjpa.ee.WASRegistryManagedRuntime (aka openjpa). | ||||
| CVE-2020-11111 | 5 Debian, Fasterxml, Netapp and 2 more | 33 Debian Linux, Jackson-databind, Steelstore Cloud Integrated Storage and 30 more | 2024-08-04 | 8.8 High |
| FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.activemq.* (aka activemq-jms, activemq-core, activemq-pool, and activemq-pool-jms). | ||||
| CVE-2020-10968 | 5 Debian, Fasterxml, Netapp and 2 more | 41 Debian Linux, Jackson-databind, Steelstore Cloud Integrated Storage and 38 more | 2024-08-04 | 8.8 High |
| FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.aoju.bus.proxy.provider.remoting.RmiProvider (aka bus-proxy). | ||||
| CVE-2020-10969 | 5 Debian, Fasterxml, Netapp and 2 more | 41 Debian Linux, Jackson-databind, Steelstore Cloud Integrated Storage and 38 more | 2024-08-04 | 8.8 High |
| FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to javax.swing.JEditorPane. | ||||
| CVE-2020-10914 | 1 Veeam | 1 One | 2024-08-04 | 9.8 Critical |
| This vulnerability allows remote attackers to execute arbitrary code on affected installations of VEEAM One Agent 9.5.4.4587. Authentication is not required to exploit this vulnerability. The specific flaw exists within the PerformHandshake method. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code in the context of the service account. Was ZDI-CAN-10400. | ||||
| CVE-2020-10917 | 1 Nec | 1 Esmpro Manager | 2024-08-04 | 9.8 Critical |
| This vulnerability allows remote attackers to execute arbitrary code on affected installations of NEC ESMPRO Manager 6.42. Authentication is not required to exploit this vulnerability. The specific flaw exists within the RMI service. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code in the context of SYSTEM. Was ZDI-CAN-10007. | ||||
| CVE-2020-10915 | 1 Veeam | 1 One | 2024-08-04 | 9.8 Critical |
| This vulnerability allows remote attackers to execute arbitrary code on affected installations of VEEAM One Agent 9.5.4.4587. Authentication is not required to exploit this vulnerability. The specific flaw exists within the HandshakeResult method. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code in the context of the service account. Was ZDI-CAN-10401. | ||||
| CVE-2020-10740 | 1 Redhat | 6 Jboss Enterprise Application Platform, Jboss Enterprise Application Platform Cd, Jboss Fuse and 3 more | 2024-08-04 | 6.6 Medium |
| A vulnerability was found in Wildfly in versions before 20.0.0.Final, where a remote deserialization attack is possible in the Enterprise Application Beans(EJB) due to lack of validation/filtering capabilities in wildfly. | ||||
| CVE-2020-10721 | 1 Redhat | 1 Fabric8-maven | 2024-08-04 | 7.8 High |
| A flaw was found in the fabric8-maven-plugin 4.0.0 and later. When using a wildfly-swarm or thorntail custom configuration, a malicious YAML configuration file on the local machine executing the maven plug-in could allow for deserialization of untrusted data resulting in arbitrary code execution. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability. | ||||
| CVE-2020-10672 | 5 Debian, Fasterxml, Netapp and 2 more | 40 Debian Linux, Jackson-databind, Steelstore Cloud Integrated Storage and 37 more | 2024-08-04 | 8.8 High |
| FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.aries.transaction.jms.internal.XaPooledConnectionFactory (aka aries.transaction.jms). | ||||
| CVE-2020-10673 | 5 Debian, Fasterxml, Netapp and 2 more | 40 Debian Linux, Jackson-databind, Steelstore Cloud Integrated Storage and 37 more | 2024-08-04 | 8.8 High |
| FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to com.caucho.config.types.ResourceRef (aka caucho-quercus). | ||||
| CVE-2020-10658 | 1 Proofpoint | 1 Insider Threat Management Server | 2024-08-04 | 9.8 Critical |
| The Proofpoint Insider Threat Management Server (formerly ObserveIT Server) before 7.9.1 contains a vulnerability in the ITM application server's WriteImage API. The vulnerability allows an anonymous remote attacker to execute arbitrary code with local administrator privileges. The vulnerability is caused by improper deserialization. | ||||
| CVE-2020-10656 | 1 Proofpoint | 1 Insider Threat Management Server | 2024-08-04 | 9.8 Critical |
| The Proofpoint Insider Threat Management Server (formerly ObserveIT Server) before 7.9.1 contains a vulnerability in the ITM application server's WriteWindowMouseWithChunksV2 API. The vulnerability allows an anonymous remote attacker to execute arbitrary code with local administrator privileges. The vulnerability is caused by improper deserialization. | ||||
| CVE-2020-10650 | 2 Fasterxml, Oracle | 3 Jackson-databind, Retail Merchandising System, Retail Sales Audit | 2024-08-04 | 8.1 High |
| A deserialization flaw was discovered in jackson-databind through 2.9.10.4. It could allow an unauthenticated user to perform code execution via ignite-jta or quartz-core: org.apache.ignite.cache.jta.jndi.CacheJndiTmLookup, org.apache.ignite.cache.jta.jndi.CacheJndiTmFactory, and org.quartz.utils.JNDIConnectionProvider. | ||||
| CVE-2020-10657 | 1 Proofpoint | 1 Insider Threat Management Server | 2024-08-04 | 7.2 High |
| The Proofpoint Insider Threat Management Server (formerly ObserveIT Server) before 7.9.1 contains a vulnerability in the ITM web console's ImportAlertRules feature. The vulnerability allows a remote attacker (with admin or config-admin privileges in the console) to execute arbitrary code with local administrator privileges. The vulnerability is caused by improper deserialization. | ||||
| CVE-2020-10655 | 1 Proofpoint | 1 Insider Threat Management Server | 2024-08-04 | 9.8 Critical |
| The Proofpoint Insider Threat Management Server (formerly ObserveIT Server) before 7.9.1 contains a vulnerability in the ITM application server's WriteWindowMouse API. The vulnerability allows an anonymous remote attacker to execute arbitrary code with local administrator privileges. The vulnerability is caused by improper deserialization. | ||||