Total
1738 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2019-17358 | 3 Cacti, Debian, Opensuse | 3 Cacti, Debian Linux, Leap | 2024-11-21 | 5.5 MEDIUM | 8.1 HIGH |
| Cacti through 1.2.7 is affected by multiple instances of lib/functions.php unsafe deserialization of user-controlled data to populate arrays. An authenticated attacker could use this to influence object data values and control actions taken by Cacti or potentially cause memory corruption in the PHP module. | |||||
| CVE-2019-17267 | 5 Debian, Fasterxml, Netapp and 2 more | 13 Debian Linux, Jackson-databind, Active Iq Unified Manager and 10 more | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| A Polymorphic Typing issue was discovered in FasterXML jackson-databind before 2.9.10. It is related to net.sf.ehcache.hibernate.EhcacheJtaTransactionManagerLookup. | |||||
| CVE-2019-17206 | 1 Redis Wrapper Project | 1 Redis Wrapper | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| Uncontrolled deserialization of a pickled object in models.py in Frost Ming rediswrapper (aka Redis Wrapper) before 0.3.0 allows attackers to execute arbitrary scripts. | |||||
| CVE-2019-17080 | 1 Linuxmint | 1 Mintinstall | 2024-11-21 | 6.8 MEDIUM | 7.8 HIGH |
| mintinstall (aka Software Manager) 7.9.9 for Linux Mint allows code execution if a REVIEWS_CACHE file is controlled by an attacker, because an unpickle occurs. This is resolved in 8.0.0 and backports. | |||||
| CVE-2019-17076 | 1 Jamf | 1 Jamf | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| An issue was discovered in Jamf Pro 9.x and 10.x before 10.15.1. Deserialization of untrusted data when parsing JSON in several APIs may cause Denial of Service (DoS), remote code execution (RCE), and/or deletion of files on the Jamf Pro server. | |||||
| CVE-2019-16943 | 6 Debian, Fasterxml, Fedoraproject and 3 more | 27 Debian Linux, Jackson-databind, Fedora and 24 more | 2024-11-21 | 6.8 MEDIUM | 9.8 CRITICAL |
| A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.10. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the p6spy (3.8.6) jar in the classpath, and an attacker can find an RMI service endpoint to access, it is possible to make the service execute a malicious payload. This issue exists because of com.p6spy.engine.spy.P6DataSource mishandling. | |||||
| CVE-2019-16942 | 6 Debian, Fasterxml, Fedoraproject and 3 more | 29 Debian Linux, Jackson-databind, Fedora and 26 more | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.10. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the commons-dbcp (1.4) jar in the classpath, and an attacker can find an RMI service endpoint to access, it is possible to make the service execute a malicious payload. This issue exists because of org.apache.commons.dbcp.datasources.SharedPoolDataSource and org.apache.commons.dbcp.datasources.PerUserPoolDataSource mishandling. | |||||
| CVE-2019-16894 | 1 Inoideas | 1 Inoerp | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| download.php in inoERP 4.15 allows SQL injection through insecure deserialization. | |||||
| CVE-2019-16891 | 1 Liferay | 1 Liferay Portal | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| Liferay Portal CE 6.2.5 allows remote command execution because of deserialization of a JSON payload. | |||||
| CVE-2019-16774 | 1 Phpfastcache | 1 Phpfastcache | 2024-11-21 | 7.5 HIGH | 4.4 MEDIUM |
| In phpfastcache before 5.1.3, there is a possible object injection vulnerability in cookie driver. | |||||
| CVE-2019-16755 | 1 Bmc | 1 Myit Digital Workplace | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| BMC Remedy ITSM Suite is prone to unspecified vulnerabilities in both DWP and SmartIT components, which can permit remote attackers to perform pre-authenticated remote commands execution on the Operating System running the targeted application. Affected DWP versions: versions: 3.x to 18.x, all versions, service packs, and patches are affected by this vulnerability. Affected SmartIT versions: 1.x, 2.0, 18.05, 18.08, and 19.02, all versions, service packs, and patches are affected by this vulnerability. | |||||
| CVE-2019-16335 | 6 Debian, Fasterxml, Fedoraproject and 3 more | 18 Debian Linux, Jackson-databind, Fedora and 15 more | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| A Polymorphic Typing issue was discovered in FasterXML jackson-databind before 2.9.10. It is related to com.zaxxer.hikari.HikariDataSource. This is a different vulnerability than CVE-2019-14540. | |||||
| CVE-2019-16317 | 1 Pimcore | 1 Pimcore | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
| In Pimcore before 5.7.1, an attacker with limited privileges can trigger execution of a .phar file via a phar:// URL in a filename parameter, because PHAR uploads are not blocked and are reachable within the phar://../../../../../../../../var/www/html/web/var/assets/ directory, a different vulnerability than CVE-2019-10867 and CVE-2019-16318. | |||||
| CVE-2019-16112 | 1 Tylertech | 1 Eagle | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
| TylerTech Eagle 2018.3.11 deserializes untrusted user input, resulting in remote code execution via a crafted Java object to the recorder/ServiceManager?service=tyler.empire.settings.SettingManager URI. | |||||
| CVE-2019-15780 | 1 Strategy11 | 1 Formidable Form Builder | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| The formidable plugin before 4.02.01 for WordPress has unsafe deserialization. | |||||
| CVE-2019-15521 | 2 Fork-cms, Spoon-library | 2 Fork Cms, Spoon Library | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| Spoon Library through 2014-02-06, as used in Fork CMS before 1.4.1 and other products, allows PHP object injection via a cookie containing an object. | |||||
| CVE-2019-15321 | 1 Optiontree Project | 1 Optiontree | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| The option-tree plugin before 2.7.3 for WordPress has Object Injection because serialized classes are mishandled. | |||||
| CVE-2019-15320 | 1 Optiontree Project | 1 Optiontree | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| The option-tree plugin before 2.7.3 for WordPress has Object Injection because the + character is mishandled. | |||||
| CVE-2019-15319 | 1 Optiontree Project | 1 Optiontree | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| The option-tree plugin before 2.7.0 for WordPress has Object Injection by leveraging a valid nonce. | |||||
| CVE-2019-14893 | 3 Fasterxml, Netapp, Oracle | 4 Jackson-databind, Oncommand Api Services, Steelstore Cloud Integrated Storage and 1 more | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| A flaw was discovered in FasterXML jackson-databind in all versions before 2.9.10 and 2.10.0, where it would permit polymorphic deserialization of malicious objects using the xalan JNDI gadget when used in conjunction with polymorphic type handling methods such as `enableDefaultTyping()` or when @JsonTypeInfo is using `Id.CLASS` or `Id.MINIMAL_CLASS` or in any other way which ObjectMapper.readValue might instantiate objects from unsafe sources. An attacker could use this flaw to execute arbitrary code. | |||||