Total
1747 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2023-28500 | 1 Adobe | 1 Livecycle Es4 | 2024-11-21 | 9.8 Critical |
| A Java insecure deserialization vulnerability in Adobe LiveCycle ES4 version 11.0 and earlier allows unauthenticated remote attackers to gain operating system code execution by submitting specially crafted Java serialized objects to a specific URL. Adobe LiveCycle ES4 version 11.0.1 and later may be vulnerable if the application is installed with Java environment 7u21 and earlier. Exploitation of the vulnerability depends on two factors: insecure deserialization methods used in the Adobe LiveCycle application, and the use of Java environments 7u21 and earlier. The code execution is performed in the context of the account that is running the Adobe LiveCycle application. If the account is privileged, exploitation provides privileged access to the operating system. NOTE: This vulnerability only affects products that are no longer supported by the maintainer. | ||||
| CVE-2023-28323 | 1 Ivanti | 1 Endpoint Manager | 2024-11-21 | 9.8 Critical |
| A deserialization of untrusted data exists in EPM 2022 Su3 and all prior versions that allows an unauthenticated user to elevate rights. This exploit could potentially be used in conjunction with other OS (Operating System) vulnerabilities to escalate privileges on the machine or be used as a stepping stone to get to other network attached machines. | ||||
| CVE-2023-28072 | 1 Dell | 1 Alienware Command Center | 2024-11-21 | 7.8 High |
| Dell Alienware Command Center, versions prior to 5.5.51.0, contain a deserialization of untrusted data vulnerability. A local malicious user could potentially send specially crafted requests to the .NET Remoting server to run arbitrary code on the system. | ||||
| CVE-2023-27459 | 2024-11-21 | 7.4 High | ||
| Deserialization of Untrusted Data vulnerability in WPEverest User Registration.This issue affects User Registration: from n/a through 2.3.2.1. | ||||
| CVE-2023-27296 | 1 Apache | 1 Inlong | 2024-11-21 | 8.8 High |
| Deserialization of Untrusted Data vulnerability in Apache Software Foundation Apache InLong. It could be triggered by authenticated users of InLong, you could refer to [1] to know more about this vulnerability. This issue affects Apache InLong: from 1.1.0 through 1.5.0. Users are advised to upgrade to Apache InLong's latest version or cherry-pick [2] to solve it. [1] https://programmer.help/blogs/jdbc-deserialization-vulnerability-learning.html https://programmer.help/blogs/jdbc-deserialization-vulnerability-learning.html [2] https://github.com/apache/inlong/pull/7422 https://github.com/apache/inlong/pull/7422 | ||||
| CVE-2023-26592 | 1 Intel | 1 Thunderbolt Dch Driver | 2024-11-21 | 3.8 Low |
| Deserialization of untrusted data in some Intel(R) Thunderbolt(TM) DCH drivers for Windows before version 88 may allow an authenticated user to potentially enable a denial of service via local access. | ||||
| CVE-2023-26512 | 4 Apache, Apple, Linux and 1 more | 4 Eventmesh, Macos, Linux Kernel and 1 more | 2024-11-21 | 9.8 Critical |
| CWE-502 Deserialization of Untrusted Data at the rabbitmq-connector plugin module in Apache EventMesh (incubating) V1.7.0\V1.8.0 on windows\linux\mac os e.g. platforms allows attackers to send controlled message and remote code execute via rabbitmq messages. Users can use the code under the master branch in project repo to fix this issue, we will release the new version as soon as possible. | ||||
| CVE-2023-26436 | 1 Open-xchange | 1 Open-xchange Appsuite Backend | 2024-11-21 | 7.1 High |
| Attackers with access to the "documentconverterws" API were able to inject serialized Java objects, that were not properly checked during deserialization. Access to this API endpoint is restricted to local networks by default. Arbitrary code could be injected that is being executed when processing the request. A check has been introduced to restrict processing of legal and expected classes for this API. We now log a warning in case there are attempts to inject illegal classes. No publicly available exploits are known. | ||||
| CVE-2023-26153 | 1 Geokit | 1 Geokit-rails | 2024-11-21 | 8.3 High |
| Versions of the package geokit-rails before 2.5.0 are vulnerable to Command Injection due to unsafe deserialisation of YAML within the 'geo_location' cookie. This issue can be exploited remotely via a malicious cookie value. **Note:** An attacker can use this vulnerability to execute commands on the host system. | ||||
| CVE-2023-25770 | 1 Honeywell | 2 C300, C300 Firmware | 2024-11-21 | 9.8 Critical |
| Controller DoS may occur due to buffer overflow when an error is generated in response to a specially crafted message. See Honeywell Security Notification for recommendations on upgrading and versioning. | ||||
| CVE-2023-24971 | 1 Ibm | 2 B2b Advanced Communications, Multi-enterprise Integration Gateway | 2024-11-21 | 7.5 High |
| IBM B2B Advanced Communications 1.0.0.0 and IBM Multi-Enterprise Integration Gateway 1.0.0.1 could allow a user to cause a denial of service due to the deserializing of untrusted serialized Java objects. IBM X-Force ID: 246976. | ||||
| CVE-2023-24621 | 1 Esotericsoftware | 1 Yamlbeans | 2024-11-21 | 7.8 High |
| An issue was discovered in Esoteric YamlBeans through 1.15. It allows untrusted deserialisation to Java classes by default, where the data and class are controlled by the author of the YAML document being processed. | ||||
| CVE-2023-24162 | 1 Hutool | 1 Hutool | 2024-11-21 | 9.8 Critical |
| Deserialization vulnerability in Dromara Hutool v5.8.11 allows attacker to execute arbitrary code via the XmlUtil.readObjectFromXml parameter. | ||||
| CVE-2023-23930 | 1 Vantage6 | 1 Vantage6 | 2024-11-21 | 5.5 Medium |
| vantage6 is privacy preserving federated learning infrastructure. Versions prior to 4.0.0 use pickle, which has known security issue, as a default serialization module but that has known security issues. All users of vantage6 that post tasks with the default serialization are affected. Version 4.0.0 contains a patch. Users may specify JSON serialization as a workaround. | ||||
| CVE-2023-23649 | 2024-11-21 | 8.1 High | ||
| Deserialization of Untrusted Data vulnerability in MainWP MainWP Links Manager Extension.This issue affects MainWP Links Manager Extension: from n/a through 2.1. | ||||
| CVE-2023-23638 | 1 Apache | 1 Dubbo | 2024-11-21 | 5 Medium |
| A deserialization vulnerability existed when dubbo generic invoke, which could lead to malicious code execution. This issue affects Apache Dubbo 2.7.x version 2.7.21 and prior versions; Apache Dubbo 3.0.x version 3.0.13 and prior versions; Apache Dubbo 3.1.x version 3.1.5 and prior versions. | ||||
| CVE-2023-22850 | 1 Tiki | 1 Tiki | 2024-11-21 | 8.8 High |
| Tiki before 24.1, when the Spreadsheets feature is enabled, allows lib/sheet/grid.php PHP Object Injection because of an unserialize call. | ||||
| CVE-2023-22067 | 3 Netapp, Oracle, Redhat | 11 Cloud Insights Acquisition Unit, Cloud Insights Storage Workload Security Agent, Jdk and 8 more | 2024-11-21 | 5.3 Medium |
| Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: CORBA). Supported versions that are affected are Oracle Java SE: 8u381, 8u381-perf; Oracle GraalVM Enterprise Edition: 20.3.11 and 21.3.7. Easily exploitable vulnerability allows unauthenticated attacker with network access via CORBA to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability can only be exploited by supplying data to APIs in the specified Component without using Untrusted Java Web Start applications or Untrusted Java applets, such as through a web service. CVSS 3.1 Base Score 5.3 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N). | ||||
| CVE-2023-20102 | 1 Cisco | 3 Secure Network Analytics, Stealthwatch Management Console 2200, Stealthwatch Management Console 2200 Firmware | 2024-11-21 | 8.8 High |
| A vulnerability in the web-based management interface of Cisco Secure Network Analytics could allow an authenticated, remote attacker to execute arbitrary code on the underlying operating system. This vulnerability is due to insufficient sanitization of user-provided data that is parsed into system memory. An attacker could exploit this vulnerability by sending a crafted HTTP request to an affected device. A successful exploit could allow the attacker to execute arbitrary code on the underlying operating system as the administrator user. | ||||
| CVE-2023-1714 | 1 Bitrix24 | 1 Bitrix24 | 2024-11-21 | 8.8 High |
| Unsafe variable extraction in bitrix/modules/main/classes/general/user_options.php in Bitrix24 22.0.300 allows remote authenticated attackers to execute arbitrary code via (1) appending arbitrary content to existing PHP files or (2) PHAR deserialization. | ||||