Total
1532 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2020-10644 | 1 Inductiveautomation | 1 Ignition Gateway | 2024-08-04 | 7.5 High |
| The affected product lacks proper validation of user-supplied data, which can result in deserialization of untrusted data on the Ignition 8 Gateway (versions prior to 8.0.10) and Ignition 7 Gateway (versions prior to 7.9.14), allowing an attacker to obtain sensitive information. | ||||
| CVE-2020-10189 | 1 Zohocorp | 1 Manageengine Desktop Central | 2024-08-04 | 9.8 Critical |
| Zoho ManageEngine Desktop Central before 10.0.474 allows remote code execution because of deserialization of untrusted data in getChartImage in the FileStorage class. This is related to the CewolfServlet and MDMLogUploaderServlet servlets. | ||||
| CVE-2020-9547 | 5 Debian, Fasterxml, Netapp and 2 more | 27 Debian Linux, Jackson-databind, Active Iq Unified Manager and 24 more | 2024-08-04 | 9.8 Critical |
| FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to com.ibatis.sqlmap.engine.transaction.jta.JtaTransactionConfig (aka ibatis-sqlmap). | ||||
| CVE-2020-9664 | 1 Magento | 1 Magento | 2024-08-04 | 9.8 Critical |
| Magento versions 1.14.4.5 and earlier, and 1.9.4.5 and earlier have a php object injection vulnerability. Successful exploitation could lead to arbitrary code execution. | ||||
| CVE-2020-9546 | 5 Debian, Fasterxml, Netapp and 2 more | 41 Debian Linux, Jackson-databind, Active Iq Unified Manager and 38 more | 2024-08-04 | 9.8 Critical |
| FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.hadoop.shaded.com.zaxxer.hikari.HikariConfig (aka shaded hikari-config). | ||||
| CVE-2020-9548 | 5 Debian, Fasterxml, Netapp and 2 more | 35 Debian Linux, Jackson-databind, Active Iq Unified Manager and 32 more | 2024-08-04 | 9.8 Critical |
| FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to br.com.anteros.dbcp.AnterosDBCPConfig (aka anteros-core). | ||||
| CVE-2020-9493 | 2 Apache, Qos | 3 Chainsaw, Log4j, Reload4j | 2024-08-04 | 9.8 Critical |
| A deserialization flaw was found in Apache Chainsaw versions prior to 2.1.0 which could lead to malicious code execution. | ||||
| CVE-2020-9496 | 1 Apache | 1 Ofbiz | 2024-08-04 | 6.1 Medium |
| XML-RPC request are vulnerable to unsafe deserialization and Cross-Site Scripting issues in Apache OFBiz 17.12.03 | ||||
| CVE-2020-9484 | 8 Apache, Canonical, Debian and 5 more | 30 Tomcat, Ubuntu Linux, Debian Linux and 27 more | 2024-08-04 | 7.0 High |
| When using Apache Tomcat versions 10.0.0-M1 to 10.0.0-M4, 9.0.0.M1 to 9.0.34, 8.5.0 to 8.5.54 and 7.0.0 to 7.0.103 if a) an attacker is able to control the contents and name of a file on the server; and b) the server is configured to use the PersistenceManager with a FileStore; and c) the PersistenceManager is configured with sessionAttributeValueClassNameFilter="null" (the default unless a SecurityManager is used) or a sufficiently lax filter to allow the attacker provided object to be deserialized; and d) the attacker knows the relative file path from the storage location used by FileStore to the file the attacker has control over; then, using a specifically crafted request, the attacker will be able to trigger remote code execution via deserialization of the file under their control. Note that all of conditions a) to d) must be true for the attack to succeed. | ||||
| CVE-2020-9301 | 1 Linuxfoundation | 1 Spinnaker | 2024-08-04 | 8.8 High |
| Nolan Ray from Apple Information Security identified a security vulnerability in Spinnaker, all versions prior to version 1.23.4, 1.22.4 or 1.21.5. The vulnerability exists within the handling of SpEL expressions that allows an attacker to read and write arbitrary files within the orca container via authenticated HTTP POST requests. | ||||
| CVE-2020-9006 | 1 Sygnoos | 1 Popup Builder | 2024-08-04 | 9.8 Critical |
| The Popup Builder plugin 2.2.8 through 2.6.7.6 for WordPress is vulnerable to SQL injection (in the sgImportPopups function in sg_popup_ajax.php) via PHP Deserialization on attacker-controlled data with the attachmentUrl POST variable. This allows creation of an arbitrary WordPress Administrator account, leading to possible Remote Code Execution because Administrators can run PHP code on Wordpress instances. (This issue has been fixed in the 3.x branch of popup-builder.) | ||||
| CVE-2020-8884 | 1 Proofpoint | 1 Insider Threat Management | 2024-08-04 | 8.8 High |
| rcdsvc in the Proofpoint Insider Threat Management Windows Agent (formerly ObserveIT Windows Agent) before 7.9 allows remote authenticated users to execute arbitrary code as SYSTEM because of improper deserialization over named pipes. | ||||
| CVE-2020-8840 | 6 Debian, Fasterxml, Huawei and 3 more | 19 Debian Linux, Jackson-databind, Oceanstor 9000 and 16 more | 2024-08-04 | 9.8 Critical |
| FasterXML jackson-databind 2.0.0 through 2.9.10.2 lacks certain xbean-reflect/JNDI blocking, as demonstrated by org.apache.xbean.propertyeditor.JndiConverter. | ||||
| CVE-2020-8801 | 1 Salesagility | 1 Suitecrm | 2024-08-04 | 7.2 High |
| SuiteCRM through 7.11.11 allows PHAR Deserialization. | ||||
| CVE-2020-8441 | 1 Jyaml Project | 1 Jyaml | 2024-08-04 | 9.8 Critical |
| JYaml through 1.3 allows remote code execution during deserialization of a malicious payload through the load() function. NOTE: this is a discontinued product. | ||||
| CVE-2020-8165 | 4 Debian, Opensuse, Redhat and 1 more | 5 Debian Linux, Leap, Satellite and 2 more | 2024-08-04 | 9.8 Critical |
| A deserialization of untrusted data vulnernerability exists in rails < 5.2.4.3, rails < 6.0.3.1 that can allow an attacker to unmarshal user-provided objects in MemCacheStore and RedisCacheStore potentially resulting in an RCE. | ||||
| CVE-2020-8164 | 4 Debian, Opensuse, Redhat and 1 more | 6 Debian Linux, Backports Sle, Leap and 3 more | 2024-08-04 | 7.5 High |
| A deserialization of untrusted data vulnerability exists in rails < 5.2.4.3, rails < 6.0.3.1 which can allow an attacker to supply information can be inadvertently leaked fromStrong Parameters. | ||||
| CVE-2020-7961 | 1 Liferay | 1 Liferay Portal | 2024-08-04 | 9.8 Critical |
| Deserialization of Untrusted Data in Liferay Portal prior to 7.2.1 CE GA2 allows remote attackers to execute arbitrary code via JSON web services (JSONWS). | ||||
| CVE-2020-7811 | 2 Microsoft, Samsung | 2 Windows, Update | 2024-08-04 | 6.2 Medium |
| Samsung Update 3.0.2.0 ~ 3.0.32.0 has a vulnerability that allows privilege escalation as commands crafted by attacker are executed while the engine deserializes the data received during inter-process communication | ||||
| CVE-2020-7660 | 2 Redhat, Verizon | 2 Service Mesh, Serialize-javascript | 2024-08-04 | 8.1 High |
| serialize-javascript prior to 3.1.0 allows remote attackers to inject arbitrary code via the function "deleteFunctions" within "index.js". | ||||