Total
1738 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2020-10655 | 1 Proofpoint | 1 Insider Threat Management Server | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| The Proofpoint Insider Threat Management Server (formerly ObserveIT Server) before 7.9.1 contains a vulnerability in the ITM application server's WriteWindowMouse API. The vulnerability allows an anonymous remote attacker to execute arbitrary code with local administrator privileges. The vulnerability is caused by improper deserialization. | |||||
| CVE-2020-10644 | 1 Inductiveautomation | 1 Ignition Gateway | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| The affected product lacks proper validation of user-supplied data, which can result in deserialization of untrusted data on the Ignition 8 Gateway (versions prior to 8.0.10) and Ignition 7 Gateway (versions prior to 7.9.14), allowing an attacker to obtain sensitive information. | |||||
| CVE-2020-10289 | 1 Openrobotics | 1 Robot Operating System | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
| Use of unsafe yaml load. Allows instantiation of arbitrary objects. The flaw itself is caused by an unsafe parsing of YAML values which happens whenever an action message is processed to be sent, and allows for the creation of Python objects. Through this flaw in the ROS core package of actionlib, an attacker with local or remote access can make the ROS Master, execute arbitrary code in Python form. Consider yaml.safe_load() instead. Located first in actionlib/tools/library.py:132. See links for more info on the bug. | |||||
| CVE-2020-0132 | 1 Google | 1 Android | 2024-11-21 | 2.1 LOW | 5.5 MEDIUM |
| In BnAAudioService::onTransact of IAAudioService.cpp, there is a possible out of bounds read due to unsafe deserialization. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-10Android ID: A-139473816 | |||||
| CVE-2020-0082 | 1 Google | 1 Android | 2024-11-21 | 7.2 HIGH | 7.8 HIGH |
| In ExternalVibration of ExternalVibration.java, there is a possible activation of an arbitrary intent due to unsafe deserialization. This could lead to local escalation of privilege to system_server with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-10Android ID: A-140417434 | |||||
| CVE-2019-9373 | 1 Google | 1 Android | 2024-11-21 | 2.1 LOW | 5.5 MEDIUM |
| In JobStore, there is a mismatched serialization/deserialization for the "battery-not-low" job attribute. This could lead to a local denial of service with no additional execution privileges needed. User interaction is not needed for exploitation. Product: AndroidVersions: Android-10Android ID: A-130173029 | |||||
| CVE-2019-9365 | 1 Google | 1 Android | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| In Bluetooth, there is a possible deserialization error due to missing string validation. This could lead to remote code execution with no additional execution privileges needed. User interaction is not needed for exploitation. Product: AndroidVersions: Android-10Android ID: A-109838537 | |||||
| CVE-2019-9212 | 1 Antfin | 1 Sofa-hessian | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| SOFA-Hessian through 4.0.2 allows remote attackers to execute arbitrary commands via a crafted serialized Hessian object because blacklisting of com.caucho.naming.QName and com.sun.org.apache.xpath.internal.objects.XString is mishandled, related to Resin Gadget. NOTE: The vendor doesn’t consider this issue a vulnerability because the blacklist is being misused. SOFA Hessian supports custom blacklist and a disclaimer was posted encouraging users to update the blacklist or to use the whitelist feature for their specific needs since the blacklist is not being actively updated | |||||
| CVE-2019-9061 | 1 Cmsmadesimple | 1 Cms Made Simple | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
| An issue was discovered in CMS Made Simple 2.2.8. In the module ModuleManager (in the file action.installmodule.php), it is possible to reach an unserialize call with untrusted input and achieve authenticated object injection by using the "install module" feature. | |||||
| CVE-2019-9057 | 1 Cmsmadesimple | 1 Cms Made Simple | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
| An issue was discovered in CMS Made Simple 2.2.8. In the module FilePicker, it is possible to reach an unserialize call with an untrusted parameter, and achieve authenticated object injection. | |||||
| CVE-2019-9056 | 1 Cmsmadesimple | 1 Cms Made Simple | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
| An issue was discovered in CMS Made Simple 2.2.8. In the module FrontEndUsers (in the file class.FrontEndUsersManipulate.php or class.FrontEndUsersManipulator.php), it is possible to reach an unserialize call with an untrusted __FEU__ cookie, and achieve authenticated object injection. | |||||
| CVE-2019-9055 | 1 Cmsmadesimple | 1 Cms Made Simple | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
| An issue was discovered in CMS Made Simple 2.2.8. In the module DesignManager (in the files action.admin_bulk_css.php and action.admin_bulk_template.php), with an unprivileged user with Designer permission, it is possible reach an unserialize call with a crafted value in the m1_allparms parameter, and achieve object injection. | |||||
| CVE-2019-8662 | 1 Apple | 4 Iphone Os, Mac Os X, Tvos and 1 more | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| This issue was addressed with improved checks. This issue is fixed in iOS 12.4, macOS Mojave 10.14.6, tvOS 12.4, watchOS 5.3. An attacker may be able to trigger a use-after-free in an application deserializing an untrusted NSDictionary. | |||||
| CVE-2019-8141 | 1 Magento | 1 Magento | 2024-11-21 | 6.5 MEDIUM | 7.2 HIGH |
| A remote code execution vulnerability exists in Magento 2.1 prior to 2.1.19, Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3. An authenticated user with administrative privileges (system level import) can execute arbitrary code through a Phar deserialization vulnerability in the import functionality. | |||||
| CVE-2019-7840 | 1 Adobe | 1 Coldfusion | 2024-11-21 | 10.0 HIGH | 9.8 CRITICAL |
| ColdFusion versions Update 3 and earlier, Update 10 and earlier, and Update 18 and earlier have a deserialization of untrusted data vulnerability. Successful exploitation could lead to arbitrary code execution. | |||||
| CVE-2019-7743 | 1 Joomla | 1 Joomla\! | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| An issue was discovered in Joomla! before 3.9.3. The phar:// stream wrapper can be used for objection injection attacks because there is no protection mechanism (such as the TYPO3 PHAR stream wrapper) to prevent use of the phar:// handler for non .phar-files. | |||||
| CVE-2019-7725 | 1 Nukeviet | 1 Nukeviet | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| includes/core/is_user.php in NukeViet before 4.3.04 deserializes the untrusted nvloginhash cookie (i.e., the code relies on PHP's serialization format when JSON can be used to eliminate the risk). | |||||
| CVE-2019-7539 | 1 Ipycache Project | 1 Ipycache | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
| A code injection issue was discovered in ipycache through 2016-05-31. | |||||
| CVE-2019-7361 | 1 Autodesk | 11 Advance Steel, Autocad, Autocad Architecture and 8 more | 2024-11-21 | 6.8 MEDIUM | 7.8 HIGH |
| An attacker may convince a victim to open a malicious action micro (.actm) file that has serialized data, which may trigger a code execution in Autodesk Advance Steel 2018, Autodesk AutoCAD 2018, Autodesk AutoCAD Architecture 2018, Autodesk AutoCAD Electrical 2018, Autodesk AutoCAD Map 3D 2018, Autodesk AutoCAD Mechanical 2018, Autodesk AutoCAD MEP 2018, Autodesk AutoCAD P&ID 2018, Autodesk AutoCAD Plant 3D 2018, Autodesk AutoCAD LT 2018, and Autodesk Civil 3D 2018. | |||||
| CVE-2019-7214 | 1 Smartertools | 1 Smartermail | 2024-11-21 | 10.0 HIGH | 9.8 CRITICAL |
| SmarterTools SmarterMail 16.x before build 6985 allows deserialization of untrusted data. An unauthenticated attacker could run commands on the server when port 17001 was remotely accessible. This port is not accessible remotely by default after applying the Build 6985 patch. | |||||