Total
1747 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2022-32521 | 1 Schneider-electric | 1 Data Center Expert | 2025-02-05 | 7.1 High |
| A CWE 502: Deserialization of Untrusted Data vulnerability exists that could allow code to be remotely executed on the server when unsafely deserialized data is posted to the web server. Affected Products: Data Center Expert (Versions prior to V7.9.0) | ||||
| CVE-2023-27978 | 1 Schneider-electric | 3 Custom Reports, Igss Dashboard, Igss Data Server | 2025-02-05 | 7.8 High |
| A CWE-502: Deserialization of Untrusted Data vulnerability exists in the Dashboard module that could cause an interpretation of malicious payload data, potentially leading to remote code execution when an attacker gets the user to open a malicious file. Affected Products: IGSS Data Server(IGSSdataServer.exe)(V16.0.0.23040 and prior), IGSS Dashboard(DashBoard.exe)(V16.0.0.23040 and prior), Custom Reports(RMS16.dll)(V16.0.0.23040 and prior). | ||||
| CVE-2024-10936 | 1 Instawp | 1 String Locator | 2025-02-05 | 8.8 High |
| The String locator plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 2.6.6 via deserialization of untrusted input in the 'recursive_unserialize_replace' function. This makes it possible for unauthenticated attackers to inject a PHP Object. No known POP chain is present in the vulnerable software. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code. An administrator must perform a search and replace action to trigger the exploit. | ||||
| CVE-2023-4402 | 1 Wpdeveloper | 2 Essential Blocks, Essential Blocks Pro | 2025-02-05 | 8.1 High |
| The Essential Blocks plugin for WordPress is vulnerable to PHP Object Injection in versions up to, and including, 4.2.0 via deserialization of untrusted input in the get_products function. This allows unauthenticated attackers to inject a PHP Object. No POP chain is present in the vulnerable plugin. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code. | ||||
| CVE-2023-4386 | 1 Wpdeveloper | 1 Essential Blocks | 2025-02-05 | 8.1 High |
| The Essential Blocks plugin for WordPress is vulnerable to PHP Object Injection in versions up to, and including, 4.2.0 via deserialization of untrusted input in the get_posts function. This allows unauthenticated attackers to inject a PHP Object. No POP chain is present in the vulnerable plugin. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code. | ||||
| CVE-2023-20864 | 1 Vmware | 2 Aria Operations For Logs, Cloud Foundation | 2025-02-05 | 9.8 Critical |
| VMware Aria Operations for Logs contains a deserialization vulnerability. An unauthenticated, malicious actor with network access to VMware Aria Operations for Logs may be able to execute arbitrary code as root. | ||||
| CVE-2024-54367 | 1 Ultimatemember | 1 Forumwp | 2025-02-05 | 9.8 Critical |
| Deserialization of Untrusted Data vulnerability in ForumWP ForumWP allows Object Injection.This issue affects ForumWP: from n/a through 2.1.0. | ||||
| CVE-2023-1650 | 1 Quantumcloud | 1 Ai Chatbot | 2025-02-04 | 9.8 Critical |
| The AI ChatBot WordPress plugin before 4.4.7 unserializes user input from cookies via an AJAX action available to unauthenticated users, which could allow them to perform PHP Object Injection when a suitable gadget is present on the blog | ||||
| CVE-2023-1347 | 1 Fastlinemedia | 1 Customizer Export\/import | 2025-02-04 | 7.2 High |
| The Customizer Export/Import WordPress plugin before 0.9.6 unserializes user input provided via the settings, which could allow high privilege users such as admin to perform PHP Object Injection when a suitable gadget is present | ||||
| CVE-2023-2141 | 1 3ds | 1 Delmia Apriso | 2025-02-04 | 8.5 High |
| An unsafe .NET object deserialization in DELMIA Apriso Release 2017 through Release 2022 could lead to post-authentication remote code execution. | ||||
| CVE-2021-26857 | 1 Microsoft | 1 Exchange Server | 2025-02-04 | 7.8 High |
| Microsoft Exchange Server Remote Code Execution Vulnerability | ||||
| CVE-2015-4852 | 1 Oracle | 3 Storagetek Tape Analytics Sw Tool, Virtual Desktop Infrastructure, Weblogic Server | 2025-02-04 | 9.8 Critical |
| The WLS Security component in Oracle WebLogic Server 10.3.6.0, 12.1.2.0, 12.1.3.0, and 12.2.1.0 allows remote attackers to execute arbitrary commands via a crafted serialized Java object in T3 protocol traffic to TCP port 7001, related to oracle_common/modules/com.bea.core.apache.commons.collections.jar. NOTE: the scope of this CVE is limited to the WebLogic Server product. | ||||
| CVE-2023-38203 | 1 Adobe | 1 Coldfusion | 2025-02-04 | 9.8 Critical |
| Adobe ColdFusion versions 2018u17 (and earlier), 2021u7 (and earlier) and 2023u1 (and earlier) are affected by a Deserialization of Untrusted Data vulnerability that could result in Arbitrary code execution. Exploitation of this issue does not require user interaction. | ||||
| CVE-2024-22460 | 1 Dell | 2 Dm5500, Dm5500 Firmware | 2025-02-04 | 2.2 Low |
| Dell PowerProtect DM5500 version 5.15.0.0 and prior contains an insecure deserialization Vulnerability. A remote attacker with high privileges could potentially exploit this vulnerability, leading to arbitrary code execution on the vulnerable application. | ||||
| CVE-2021-44228 | 13 Apache, Apple, Bentley and 10 more | 168 Log4j, Xcode, Synchro and 165 more | 2025-02-04 | 10 Critical |
| Apache Log4j2 2.0-beta9 through 2.15.0 (excluding security releases 2.12.2, 2.12.3, and 2.3.1) JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From log4j 2.15.0, this behavior has been disabled by default. From version 2.16.0 (along with 2.12.2, 2.12.3, and 2.3.1), this functionality has been completely removed. Note that this vulnerability is specific to log4j-core and does not affect log4net, log4cxx, or other Apache Logging Services projects. | ||||
| CVE-2024-57766 | 2025-02-03 | 9.1 Critical | ||
| MSFM before 2025.01.01 was discovered to contain a fastjson deserialization vulnerability via the component system/table/editField. | ||||
| CVE-2024-57764 | 2025-02-03 | 9.1 Critical | ||
| MSFM before 2025.01.01 was discovered to contain a fastjson deserialization vulnerability via the component system/table/add. | ||||
| CVE-2024-57763 | 2025-02-03 | 9.1 Critical | ||
| MSFM before 2025.01.01 was discovered to contain a fastjson deserialization vulnerability via the component system/table/addField. | ||||
| CVE-2024-57762 | 2025-02-03 | 7.5 High | ||
| MSFM before v2025.01.01 was discovered to contain a deserialization vulnerability via the pom.xml configuration file. | ||||
| CVE-2021-42237 | 1 Sitecore | 1 Experience Platform | 2025-02-03 | 9.8 Critical |
| Sitecore XP 7.5 Initial Release to Sitecore XP 8.2 Update-7 is vulnerable to an insecure deserialization attack where it is possible to achieve remote command execution on the machine. No authentication or special configuration is required to exploit this vulnerability. | ||||