Search Results (2499 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2013-3567 5 Canonical, Novell, Puppet and 2 more 7 Ubuntu Linux, Suse Linux Enterprise Desktop, Suse Linux Enterprise Server and 4 more 2025-04-11 N/A
Puppet 2.7.x before 2.7.22 and 3.2.x before 3.2.2, and Puppet Enterprise before 2.8.2, deserializes untrusted YAML, which allows remote attackers to instantiate arbitrary Ruby classes and execute arbitrary code via a crafted REST API call.
CVE-2012-3527 2 Debian, Typo3 2 Debian Linux, Typo3 2025-04-11 N/A
view_help.php in the backend help system in TYPO3 4.5.x before 4.5.19, 4.6.x before 4.6.12 and 4.7.x before 4.7.4 allows remote authenticated backend users to unserialize arbitrary objects and possibly execute arbitrary PHP code via an unspecified parameter, related to a "missing signature (HMAC)."
CVE-2013-4271 2 Redhat, Restlet 6 Fuse Esb Enterprise, Fuse Management Console, Fuse Mq Enterprise and 3 more 2025-04-11 N/A
The default configuration of the ObjectRepresentation class in Restlet before 2.1.4 deserializes objects from untrusted sources, which allows remote attackers to execute arbitrary Java code via a serialized object, a different vulnerability than CVE-2013-4221.
CVE-2012-4406 3 Fedoraproject, Openstack, Redhat 8 Fedora, Swift, Enterprise Linux Server and 5 more 2025-04-11 9.8 Critical
OpenStack Object Storage (swift) before 1.7.0 uses the loads function in the pickle Python module unsafely when storing and loading metadata in memcached, which allows remote attackers to execute arbitrary code via a crafted pickle object.
CVE-2010-4574 2 Google, Linux 3 Chrome, Chrome Os, Linux Kernel 2025-04-11 N/A
The Pickle::Pickle function in base/pickle.cc in Google Chrome before 8.0.552.224 and Chrome OS before 8.0.552.343 on 64-bit Linux platforms does not properly perform pointer arithmetic, which allows remote attackers to bypass message deserialization validation, and cause a denial of service or possibly have unspecified other impact, via invalid pickle data.
CVE-2011-2520 2 Fedoraproject, Redhat 3 Fedora, Enterprise Linux, System-config-firewall 2025-04-11 7.8 High
fw_dbus.py in system-config-firewall 1.2.29 and earlier uses the pickle Python module unsafely during D-Bus communication between the GUI and the backend, which might allow local users to gain privileges via a crafted serialized object.
CVE-2013-1768 2 Apache, Redhat 5 Openjpa, Fuse Esb Enterprise, Fuse Management Console and 2 more 2025-04-11 N/A
The BrokerFactory functionality in Apache OpenJPA 1.x before 1.2.3 and 2.x before 2.2.2 creates local executable JSP files containing logging trace data produced during deserialization of certain crafted OpenJPA objects, which makes it easier for remote attackers to execute arbitrary code by creating a serialized object and leveraging improperly secured server programs.
CVE-2013-1800 1 John Nunemaker 1 Crack 2025-04-11 N/A
The crack gem 0.3.1 and earlier for Ruby does not properly restrict casts of string values, which might allow remote attackers to conduct object-injection attacks and execute arbitrary code, or cause a denial of service (memory and CPU consumption) by leveraging Action Pack support for (1) YAML type conversion or (2) Symbol type conversion, a similar vulnerability to CVE-2013-0156.
CVE-2013-1640 3 Canonical, Puppet, Redhat 4 Ubuntu Linux, Puppet, Puppet Enterprise and 1 more 2025-04-11 N/A
The (1) template and (2) inline_template functions in the master server in Puppet before 2.6.18, 2.7.x before 2.7.21, and 3.1.x before 3.1.1, and Puppet Enterprise before 1.2.7 and 2.7.x before 2.7.2 allows remote authenticated users to execute arbitrary code via a crafted catalog request.
CVE-2024-9052 2025-04-10 N/A
This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.
CVE-2024-57762 1 Wangl1989 1 Mysiteforme 2025-04-10 7.5 High
MSFM before v2025.01.01 was discovered to contain a deserialization vulnerability via the pom.xml configuration file.
CVE-2024-57763 1 Wangl1989 1 Mysiteforme 2025-04-10 9.1 Critical
MSFM before 2025.01.01 was discovered to contain a fastjson deserialization vulnerability via the component system/table/addField.
CVE-2024-57764 1 Wangl1989 1 Mysiteforme 2025-04-10 9.1 Critical
MSFM before 2025.01.01 was discovered to contain a fastjson deserialization vulnerability via the component system/table/add.
CVE-2024-57766 1 Wangl1989 1 Mysiteforme 2025-04-10 9.1 Critical
MSFM before 2025.01.01 was discovered to contain a fastjson deserialization vulnerability via the component system/table/editField.
CVE-2024-1950 1 Wpwax 2 Product Carosel Slider \& Grid Ultimate, Product Carousel Slider \& Grid Ultimate For Woocommerce 2025-04-09 7.5 High
The Product Carousel Slider & Grid Ultimate for WooCommerce plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.9.7 via deserialization of untrusted input via shortcode. This makes it possible for authenticated attackers, with contributor access and above, to inject a PHP Object. No POP chain is present in the vulnerable plugin. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code.
CVE-2007-1701 2 Php, Redhat 4 Php, Enterprise Linux, Rhel Application Stack and 1 more 2025-04-09 N/A
PHP 4 before 4.4.5, and PHP 5 before 5.2.1, when register_globals is enabled, allows context-dependent attackers to execute arbitrary code via deserialization of session data, which overwrites arbitrary global variables, as demonstrated by calling session_decode on a string beginning with "_SESSION|s:39:".
CVE-2024-30224 2 Wholesale Team, Wpxpo 2 Wholesalex, Wholesalex 2025-04-08 10 Critical
Deserialization of Untrusted Data vulnerability in Wholesale Team WholesaleX.This issue affects WholesaleX: from n/a through 1.3.2.
CVE-2024-30221 1 Sunshinephotocart 1 Sunshine Photo Cart 2025-04-08 5.4 Medium
Deserialization of Untrusted Data vulnerability in WP Sunshine Sunshine Photo Cart.This issue affects Sunshine Photo Cart: from n/a through 3.1.1.
CVE-2024-30230 1 Acowebs 1 Pdf Invoices And Packing Slips For Woocommerce 2025-04-08 8.2 High
Deserialization of Untrusted Data vulnerability in Acowebs PDF Invoices and Packing Slips For WooCommerce.This issue affects PDF Invoices and Packing Slips For WooCommerce: from n/a through 1.3.7.
CVE-2023-22850 1 Tiki 1 Tiki 2025-04-07 8.8 High
Tiki before 24.1, when the Spreadsheets feature is enabled, allows lib/sheet/grid.php PHP Object Injection because of an unserialize call.