Search Results (2499 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2016-7065 1 Redhat 1 Jboss Enterprise Application Platform 2025-04-12 N/A
The JMX servlet in Red Hat JBoss Enterprise Application Platform (EAP) 4 and 5 allows remote authenticated users to cause a denial of service and possibly execute arbitrary code via a crafted serialized Java object.
CVE-2016-7124 2 Php, Redhat 2 Php, Rhel Software Collections 2025-04-12 N/A
ext/standard/var_unserializer.c in PHP before 5.6.25 and 7.x before 7.0.10 mishandles certain invalid objects, which allows remote attackers to cause a denial of service or possibly have unspecified other impact via crafted serialized data that leads to a (1) __destruct call or (2) magic method call.
CVE-2015-8103 2 Jenkins, Redhat 3 Jenkins, Openshift, Openshift Container Platform 2025-04-12 9.8 Critical
The Jenkins CLI subsystem in Jenkins before 1.638 and LTS before 1.625.2 allows remote attackers to execute arbitrary code via a crafted serialized Java object, related to a problematic webapps/ROOT/WEB-INF/lib/commons-collections-*.jar file and the "Groovy variant in 'ysoserial'".
CVE-2025-32145 2025-04-11 8.8 High
Deserialization of Untrusted Data vulnerability in magepeopleteam WpEvently allows Object Injection. This issue affects WpEvently: from n/a through 4.3.5.
CVE-2025-32144 2025-04-11 8.8 High
Deserialization of Untrusted Data vulnerability in PickPlugins Job Board Manager allows Object Injection. This issue affects Job Board Manager: from n/a through 2.1.60.
CVE-2025-31932 2025-04-11 N/A
Deserialization of untrusted data issue exists in BizRobo! all versions. If this vulnerability is exploited, an arbitrary code is executed on the Management Console. The vendor provides the workaround information and recommends to apply it to the deployment environment.
CVE-2025-32607 2025-04-11 9.8 Critical
Deserialization of Untrusted Data vulnerability in magepeopleteam WpBookingly allows Object Injection. This issue affects WpBookingly: from n/a through 1.2.0.
CVE-2025-32569 2025-04-11 9.8 Critical
Deserialization of Untrusted Data vulnerability in RealMag777 TableOn – WordPress Posts Table Filterable allows Object Injection. This issue affects TableOn – WordPress Posts Table Filterable: from n/a through 1.0.2.
CVE-2025-32568 2025-04-11 9.8 Critical
Deserialization of Untrusted Data vulnerability in empik EmpikPlace for Woocommerce allows Object Injection. This issue affects EmpikPlace for Woocommerce: from n/a through 1.4.2.
CVE-2023-30534 2 Cacti, Fedoraproject 2 Cacti, Fedora 2025-04-11 4.3 Medium
Cacti is an open source operational monitoring and fault management framework. There are two instances of insecure deserialization in Cacti version 1.2.24. While a viable gadget chain exists in Cacti’s vendor directory (phpseclib), the necessary gadgets are not included, making them inaccessible and the insecure deserializations not exploitable. Each instance of insecure deserialization is due to using the unserialize function without sanitizing the user input. Cacti has a “safe” deserialization that attempts to sanitize the content and check for specific values before calling unserialize, but it isn’t used in these instances. The vulnerable code lies in graphs_new.php, specifically within the host_new_graphs_save function. This issue has been addressed in version 1.2.25. Users are advised to upgrade. There are no known workarounds for this vulnerability.
CVE-2013-4271 2 Redhat, Restlet 6 Fuse Esb Enterprise, Fuse Management Console, Fuse Mq Enterprise and 3 more 2025-04-11 N/A
The default configuration of the ObjectRepresentation class in Restlet before 2.1.4 deserializes objects from untrusted sources, which allows remote attackers to execute arbitrary Java code via a serialized object, a different vulnerability than CVE-2013-4221.
CVE-2013-0333 4 Cloudforms Cloudengine, Redhat, Rhel Sam and 1 more 5 1, Openshift, 1.1 and 2 more 2025-04-11 N/A
lib/active_support/json/backends/yaml.rb in Ruby on Rails 2.3.x before 2.3.16 and 3.0.x before 3.0.20 does not properly convert JSON data to YAML data for processing by a YAML parser, which allows remote attackers to execute arbitrary code, conduct SQL injection attacks, or bypass authentication via crafted data that triggers unsafe decoding, a different vulnerability than CVE-2013-0156.
CVE-2010-3708 1 Redhat 3 Jboss Enterprise Application Platform, Jboss Enterprise Soa Platform, Jboss Soa Platform 2025-04-11 N/A
The serialization implementation in JBoss Drools in Red Hat JBoss Enterprise Application Platform (aka JBoss EAP or JBEAP) 4.3 before 4.3.0.CP09 and JBoss Enterprise SOA Platform 4.2 and 4.3 supports the embedding of class files, which allows remote attackers to execute arbitrary code via a crafted static initializer.
CVE-2013-1800 1 John Nunemaker 1 Crack 2025-04-11 N/A
The crack gem 0.3.1 and earlier for Ruby does not properly restrict casts of string values, which might allow remote attackers to conduct object-injection attacks and execute arbitrary code, or cause a denial of service (memory and CPU consumption) by leveraging Action Pack support for (1) YAML type conversion or (2) Symbol type conversion, a similar vulnerability to CVE-2013-0156.
CVE-2013-0277 1 Rubyonrails 2 Rails, Ruby On Rails 2025-04-11 N/A
ActiveRecord in Ruby on Rails before 2.3.17 and 3.x before 3.1.0 allows remote attackers to cause a denial of service or execute arbitrary code via crafted serialized attributes that cause the +serialize+ helper to deserialize arbitrary YAML.
CVE-2010-4574 2 Google, Linux 3 Chrome, Chrome Os, Linux Kernel 2025-04-11 N/A
The Pickle::Pickle function in base/pickle.cc in Google Chrome before 8.0.552.224 and Chrome OS before 8.0.552.343 on 64-bit Linux platforms does not properly perform pointer arithmetic, which allows remote attackers to bypass message deserialization validation, and cause a denial of service or possibly have unspecified other impact, via invalid pickle data.
CVE-2013-3567 5 Canonical, Novell, Puppet and 2 more 7 Ubuntu Linux, Suse Linux Enterprise Desktop, Suse Linux Enterprise Server and 4 more 2025-04-11 N/A
Puppet 2.7.x before 2.7.22 and 3.2.x before 3.2.2, and Puppet Enterprise before 2.8.2, deserializes untrusted YAML, which allows remote attackers to instantiate arbitrary Ruby classes and execute arbitrary code via a crafted REST API call.
CVE-2011-2520 2 Fedoraproject, Redhat 3 Fedora, Enterprise Linux, System-config-firewall 2025-04-11 7.8 High
fw_dbus.py in system-config-firewall 1.2.29 and earlier uses the pickle Python module unsafely during D-Bus communication between the GUI and the backend, which might allow local users to gain privileges via a crafted serialized object.
CVE-2013-0269 3 Redhat, Rhel Sam, Rubygems 6 Fuse Esb Enterprise, Jboss Enterprise Soa Platform, Jboss Fuse and 3 more 2025-04-11 N/A
The JSON gem before 1.5.5, 1.6.x before 1.6.8, and 1.7.x before 1.7.7 for Ruby allows remote attackers to cause a denial of service (resource consumption) or bypass the mass assignment protection mechanism via a crafted JSON document that triggers the creation of arbitrary Ruby symbols or certain internal objects, as demonstrated by conducting a SQL injection attack against Ruby on Rails, aka "Unsafe Object Creation Vulnerability."
CVE-2013-1768 2 Apache, Redhat 5 Openjpa, Fuse Esb Enterprise, Fuse Management Console and 2 more 2025-04-11 N/A
The BrokerFactory functionality in Apache OpenJPA 1.x before 1.2.3 and 2.x before 2.2.2 creates local executable JSP files containing logging trace data produced during deserialization of certain crafted OpenJPA objects, which makes it easier for remote attackers to execute arbitrary code by creating a serialized object and leveraging improperly secured server programs.