Total
1768 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2024-32600 | 2024-11-21 | N/A | 8.3 HIGH | ||
| Deserialization of Untrusted Data vulnerability in Averta Master Slider.This issue affects Master Slider: from n/a through 3.9.5. | |||||
| CVE-2024-32030 | 2024-11-21 | N/A | 8.1 HIGH | ||
| Kafka UI is an Open-Source Web UI for Apache Kafka Management. Kafka UI API allows users to connect to different Kafka brokers by specifying their network address and port. As a separate feature, it also provides the ability to monitor the performance of Kafka brokers by connecting to their JMX ports. JMX is based on the RMI protocol, so it is inherently susceptible to deserialization attacks. A potential attacker can exploit this feature by connecting Kafka UI backend to its own malicious broker. This vulnerability affects the deployments where one of the following occurs: 1. dynamic.config.enabled property is set in settings. It's not enabled by default, but it's suggested to be enabled in many tutorials for Kafka UI, including its own README.md. OR 2. an attacker has access to the Kafka cluster that is being connected to Kafka UI. In this scenario the attacker can exploit this vulnerability to expand their access and execute code on Kafka UI as well. Instead of setting up a legitimate JMX port, an attacker can create an RMI listener that returns a malicious serialized object for any RMI call. In the worst case it could lead to remote code execution as Kafka UI has the required gadget chains in its classpath. This issue may lead to post-auth remote code execution. This is particularly dangerous as Kafka-UI does not have authentication enabled by default. This issue has been addressed in version 0.7.2. All users are advised to upgrade. There are no known workarounds for this vulnerability. These issues were discovered and reported by the GitHub Security lab and is also tracked as GHSL-2023-230. | |||||
| CVE-2024-31879 | 2024-11-21 | N/A | 7.5 HIGH | ||
| IBM i 7.2, 7.3, and 7.4 could allow a remote attacker to execute arbitrary code leading to a denial of service of network ports on the system, caused by the deserialization of untrusted data. IBM X-Force ID: 287539. | |||||
| CVE-2024-31308 | 2024-11-21 | N/A | 4.4 MEDIUM | ||
| Deserialization of Untrusted Data vulnerability in VJInfotech WP Import Export Lite.This issue affects WP Import Export Lite: from n/a through 3.9.26. | |||||
| CVE-2024-31277 | 2024-11-21 | N/A | 8.7 HIGH | ||
| Deserialization of Untrusted Data vulnerability in PickPlugins Product Designer.This issue affects Product Designer: from n/a through 1.0.32. | |||||
| CVE-2024-31224 | 2024-11-21 | N/A | 9.8 CRITICAL | ||
| GPT Academic provides interactive interfaces for large language models. A vulnerability was found in gpt_academic versions 3.64 through 3.73. The server deserializes untrustworthy data from the client, which may risk remote code execution. Any device that exposes the GPT Academic service to the Internet is vulnerable. Version 3.74 contains a patch for the issue. There are no known workarounds aside from upgrading to a patched version. | |||||
| CVE-2024-31211 | 2024-11-21 | N/A | 5.5 MEDIUM | ||
| WordPress is an open publishing platform for the Web. Unserialization of instances of the `WP_HTML_Token` class allows for code execution via its `__destruct()` magic method. This issue was fixed in WordPress 6.4.2 on December 6th, 2023. Versions prior to 6.4.0 are not affected. | |||||
| CVE-2024-31094 | 2024-11-21 | N/A | 9.8 CRITICAL | ||
| Deserialization of Untrusted Data vulnerability in Filter Custom Fields & Taxonomies Light.This issue affects Filter Custom Fields & Taxonomies Light: from n/a through 1.05. | |||||
| CVE-2024-30229 | 2024-11-21 | N/A | 8.0 HIGH | ||
| Deserialization of Untrusted Data vulnerability in GiveWP.This issue affects GiveWP: from n/a through 3.4.2. | |||||
| CVE-2024-30228 | 2024-11-21 | N/A | 9.9 CRITICAL | ||
| Deserialization of Untrusted Data vulnerability in Hercules Design Hercules Core.This issue affects Hercules Core : from n/a through 6.4. | |||||
| CVE-2024-30227 | 2024-11-21 | N/A | 9.0 CRITICAL | ||
| Deserialization of Untrusted Data vulnerability in INFINITUM FORM Geo Controller.This issue affects Geo Controller: from n/a through 8.6.4. | |||||
| CVE-2024-30226 | 2024-11-21 | N/A | 9.0 CRITICAL | ||
| Deserialization of Untrusted Data vulnerability in WPDeveloper BetterDocs.This issue affects BetterDocs: from n/a through 3.3.3. | |||||
| CVE-2024-30225 | 2024-11-21 | N/A | 10.0 CRITICAL | ||
| Deserialization of Untrusted Data vulnerability in WPENGINE, INC. WP Migrate.This issue affects WP Migrate: from n/a through 2.6.10. | |||||
| CVE-2024-30223 | 2024-11-21 | N/A | 9.0 CRITICAL | ||
| Deserialization of Untrusted Data vulnerability in Repute Infosystems ARMember.This issue affects ARMember: from n/a through 4.0.26. | |||||
| CVE-2024-30222 | 2024-11-21 | N/A | 8.5 HIGH | ||
| Deserialization of Untrusted Data vulnerability in Repute Infosystems ARMember.This issue affects ARMember: from n/a through 4.0.26. | |||||
| CVE-2024-2721 | 2024-11-21 | N/A | 8.2 HIGH | ||
| Deserialization of Untrusted Data vulnerability in Social Media Share Buttons By Sygnoos Social Media Share Buttons.This issue affects Social Media Share Buttons: from n/a through 2.1.0. | |||||
| CVE-2024-2229 | 2024-11-21 | N/A | 7.8 HIGH | ||
| CWE-502: Deserialization of Untrusted Data vulnerability exists that could cause remote code execution when a malicious project file is loaded into the application by a valid user. | |||||
| CVE-2024-2054 | 2024-11-21 | N/A | 9.8 CRITICAL | ||
| The Artica-Proxy administrative web application will deserialize arbitrary PHP objects supplied by unauthenticated users and subsequently enable code execution as the "www-data" user. | |||||
| CVE-2024-29800 | 2024-11-21 | N/A | 8.0 HIGH | ||
| Deserialization of Untrusted Data vulnerability in Timber Team & Contributors Timber.This issue affects Timber: from n/a through 1.23.0. | |||||
| CVE-2024-29433 | 2024-11-21 | N/A | 9.8 CRITICAL | ||
| A deserialization vulnerability in the FASTJSON component of Alldata v0.4.6 allows attackers to execute arbitrary commands via supplying crafted data. | |||||