Total
1768 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2019-4561 | 1 Ibm | 1 Security Identity Manager | 2024-11-21 | 9.3 HIGH | 8.8 HIGH |
| IBM Security Identity Manager 6.0.0 could allow a remote attacker to execute arbitrary code on the system, caused by the deserialization of untrusted data. By persuading a victim to visit a specially crafted Web site, an attacker could exploit this vulnerability to execute arbitrary code on the system. IBM X-Force ID: 166456. | |||||
| CVE-2019-4279 | 1 Ibm | 1 Websphere Application Server | 2024-11-21 | 10.0 HIGH | 9.8 CRITICAL |
| IBM WebSphere Application Server 8.5 and 9.0 could allow a remote attacker to execute arbitrary code on the system with a specially-crafted sequence of serialized objects from untrusted sources. IBM X-Force ID: 160445. | |||||
| CVE-2019-2391 | 1 Mongodb | 1 Js-bson | 2024-11-21 | 5.5 MEDIUM | 4.2 MEDIUM |
| Incorrect parsing of certain JSON input may result in js-bson not correctly serializing BSON. This may cause unexpected application behaviour including data disclosure. This issue affects: MongoDB Inc. js-bson library version 1.1.3 and prior to. | |||||
| CVE-2019-20477 | 2 Fedoraproject, Pyyaml | 2 Fedora, Pyyaml | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| PyYAML 5.1 through 5.1.2 has insufficient restrictions on the load and load_all functions because of a class deserialization issue, e.g., Popen is a class in the subprocess module. NOTE: this issue exists because of an incomplete fix for CVE-2017-18342. | |||||
| CVE-2019-20453 | 1 Pydio | 1 Pydio | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
| A problem was found in Pydio Core before 8.2.4 and Pydio Enterprise before 8.2.4. A PHP object injection is present in the page plugins/uploader.http/HttpDownload.php. An authenticated user with basic privileges can inject objects and achieve remote code execution. | |||||
| CVE-2019-20452 | 1 Pydio | 1 Pydio | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
| A problem was found in Pydio Core before 8.2.4 and Pydio Enterprise before 8.2.4. A PHP object injection is present in the page plugins/core.access/src/RecycleBinManager.php. An authenticated user with basic privileges can inject objects and achieve remote code execution. | |||||
| CVE-2019-20330 | 4 Debian, Fasterxml, Netapp and 1 more | 30 Debian Linux, Jackson-databind, Active Iq Unified Manager and 27 more | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| FasterXML jackson-databind 2.x before 2.9.10.2 lacks certain net.sf.ehcache blocking. | |||||
| CVE-2019-1373 | 1 Microsoft | 1 Exchange Server | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| A remote code execution vulnerability exists in Microsoft Exchange through the deserialization of metadata via PowerShell, aka 'Microsoft Exchange Remote Code Execution Vulnerability'. | |||||
| CVE-2019-19909 | 1 Sfu | 1 Open Journal System | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
| An issue was discovered in Public Knowledge Project (PKP) pkp-lib before 3.1.2-2, as used in Open Journal Systems (OJS) before 3.1.2-2. Code injection can occur in the OJS report generator if an authenticated Journal Manager user visits a crafted URL, because unserialize is used. | |||||
| CVE-2019-19849 | 1 Typo3 | 1 Typo3 | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
| An issue was discovered in TYPO3 before 8.7.30, 9.x before 9.5.12, and 10.x before 10.2.2. It has been discovered that the classes QueryGenerator and QueryView are vulnerable to insecure deserialization. One exploitable scenario requires having the system extension ext:lowlevel (Backend Module: DB Check) installed, with a valid backend user who has administrator privileges. The other exploitable scenario requires having the system extension ext:sys_action installed, with a valid backend user who has limited privileges. | |||||
| CVE-2019-19826 | 1 Drupal | 1 Views Dynamic Field | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| The Views Dynamic Fields module through 7.x-1.0-alpha4 for Drupal makes insecure unserialize calls in handlers/views_handler_filter_dynamic_fields.inc, as demonstrated by PHP object injection, involving a field_names object and an Archive_Tar object, for file deletion. Code execution might also be possible. | |||||
| CVE-2019-19810 | 1 Eleveo | 1 Call Recording | 2024-11-21 | 10.0 HIGH | 10.0 CRITICAL |
| Zoom Call Recording 6.3.1 from Eleveo is vulnerable to Java Deserialization attacks targeting the inbuilt RMI service. A remote unauthenticated attacker can exploit this vulnerability by sending crafted RMI requests to execute arbitrary code on the target host. | |||||
| CVE-2019-19470 | 1 Tinywall | 1 Tinywall | 2024-11-21 | 7.2 HIGH | 7.8 HIGH |
| Unsafe usage of .NET deserialization in Named Pipe message processing allows privilege escalation to NT AUTHORITY\SYSTEM for a local attacker. Affected product is TinyWall, all versions up to and including 2.1.12. Fixed in version 2.1.13. | |||||
| CVE-2019-19373 | 1 Squiz | 1 Matrix | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| An issue was discovered in Squiz Matrix CMS 5.5.0 prior to 5.5.0.3, 5.5.1 prior to 5.5.1.8, 5.5.2 prior to 5.5.2.4, and 5.5.3 prior to 5.5.3.3 where a user can trigger arbitrary unserialization of a PHP object from a packages/cms/page_templates/page_remote_content/page_remote_content.inc POST parameter during processing of a Remote Content page type. This unserialization can be used to trigger the inclusion of arbitrary files on the filesystem (local file inclusion), and results in remote code execution. | |||||
| CVE-2019-19230 | 3 Broadcom, Linux, Microsoft | 3 Nolio, Linux Kernel, Windows | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| An unsafe deserialization vulnerability exists in CA Release Automation (Nolio) 6.6 with the DataManagement component that can allow a remote attacker to execute arbitrary code. | |||||
| CVE-2019-18956 | 1 Divisait | 4 Dv2eemvc, Proxia Phr, Proxia Suite and 1 more | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| Divisa Proxia Suite 9 < 9.12.16, 9.11.19, 9.10.26, 9.9.8, 9.8.43 and 9.7.10, 10.0 < 10.0.32, and 10.1 < 10.1.5, SparkSpace 1.0 < 1.0.30, 1.1 < 1.1.2, and 1.2 < 1.2.4, and Proxia PHR 1.0 < 1.0.30 and 1.1 < 1.1.2 allows remote code execution via untrusted Java deserialization. The proxia-error cookie is insecurely deserialized in every request (GET or POST). Thus, an unauthenticated attacker can easily craft a seria1.0lized payload in order to execute arbitrary code via the prepareError function in the com.divisait.dv2ee.controller.MVCControllerServlet class of the dv2eemvc.jar component. allows remote code execution via untrusted Java deserialization. The proxia-error cookie is insecurely deserialized in every request (GET or POST). Thus, an unauthenticated attacker can easily craft a serialized payload in order to execute arbitrary code via the prepareError function in the com.divisait.dv2ee.controller.MVCControllerServlet class of the dv2eemvc.jar component. Affected products include Proxia Premium Edition 2017 and Sparkspace. | |||||
| CVE-2019-18631 | 1 Centrify | 3 Authentication Service, Infrastructure Services, Privilege Elevation Service | 2024-11-21 | 5.1 MEDIUM | 7.8 HIGH |
| The Windows component of Centrify Authentication and Privilege Elevation Services 3.4.0, 3.4.1, 3.4.2, 3.4.3, 3.5.0, 3.5.1 (18.8), 3.5.2 (18.11), and 3.6.0 (19.6) does not properly handle an unspecified exception during use of partially trusted assemblies to serialize input data, which allows attackers to execute arbitrary code inside the Centrify process via (1) a crafted application that makes a pipe connection to the process and sends malicious serialized data or (2) a crafted Microsoft Management Console snap-in control file. | |||||
| CVE-2019-18601 | 1 Openafs | 1 Openafs | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| OpenAFS before 1.6.24 and 1.8.x before 1.8.5 is prone to denial of service from unserialized data access because remote attackers can make a series of VOTE_Debug RPC calls to crash a database server within the SVOTE_Debug RPC handler. | |||||
| CVE-2019-18580 | 1 Dell | 1 Emc Storage Monitoring And Reporting | 2024-11-21 | 10.0 HIGH | 10.0 CRITICAL |
| Dell EMC Storage Monitoring and Reporting version 4.3.1 contains a Java RMI Deserialization of Untrusted Data vulnerability. A remote unauthenticated attacker may potentially exploit this vulnerability by sending a crafted RMI request to execute arbitrary code on the target host. | |||||
| CVE-2019-18364 | 1 Jetbrains | 1 Teamcity | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| In JetBrains TeamCity before 2019.1.4, insecure Java Deserialization could potentially allow remote code execution. | |||||