Total
1768 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2024-43464 | 1 Microsoft | 1 Sharepoint Server | 2024-09-13 | N/A | 7.2 HIGH |
| Microsoft SharePoint Server Remote Code Execution Vulnerability | |||||
| CVE-2024-43466 | 1 Microsoft | 1 Sharepoint Server | 2024-09-13 | N/A | 6.5 MEDIUM |
| Microsoft SharePoint Server Denial of Service Vulnerability | |||||
| CVE-2024-29847 | 1 Ivanti | 1 Endpoint Manager | 2024-09-12 | N/A | 9.8 CRITICAL |
| Deserialization of untrusted data in the agent portal of Ivanti EPM before 2022 SU6, or the 2024 September update allows a remote unauthenticated attacker to achieve remote code execution. | |||||
| CVE-2024-45857 | 2024-09-12 | N/A | 7.8 HIGH | ||
| Deserialization of untrusted data can occur in versions 2.4.0 or newer of the Cleanlab project, enabling a maliciously crafted datalab.pkl file to run arbitrary code on an end user’s system when the data directory is loaded. | |||||
| CVE-2023-37227 | 2024-09-10 | N/A | 9.8 CRITICAL | ||
| Loftware Spectrum before 4.6 HF13 Deserializes Untrusted Data. | |||||
| CVE-2024-8255 | 1 Deltaww | 1 Dtn Soft | 2024-09-06 | N/A | 9.8 CRITICAL |
| Delta Electronics DTN Soft version 2.0.1 and prior are vulnerable to an attacker achieving remote code execution through a deserialization of untrusted data vulnerability. | |||||
| CVE-2024-45758 | 2024-09-06 | N/A | 9.1 CRITICAL | ||
| H2O.ai H2O through 3.46.0.4 allows attackers to arbitrarily set the JDBC URL, leading to deserialization attacks, file reads, and command execution. Exploitation can occur when an attacker has access to post to the ImportSQLTable URI with a JSON document containing a connection_url property with any typical JDBC Connection URL attack payload such as one that uses queryInterceptors. | |||||
| CVE-2024-43242 | 1 Wpindeed | 1 Ultimate Membership Pro | 2024-09-06 | N/A | 9.0 CRITICAL |
| Deserialization of Untrusted Data vulnerability in azzaroco Ultimate Membership Pro allows Object Injection.This issue affects Ultimate Membership Pro: from n/a through 12.6. | |||||
| CVE-2024-2694 | 1 Muffingroup | 1 Betheme | 2024-09-03 | N/A | 8.8 HIGH |
| The Betheme theme for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 27.5.6 via deserialization of untrusted input of the 'mfn-page-items' post meta value. This makes it possible for authenticated attackers, with contributor-level access and above, to inject a PHP Object. No known POP chain is present in the vulnerable plugin. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code. | |||||
| CVE-2024-8016 | 1 Theeventscalendar | 1 Events Calendar Pro | 2024-09-03 | N/A | 9.1 CRITICAL |
| The Events Calendar Pro plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 7.0.2 via deserialization of untrusted input from the 'filters' parameter in widgets. This makes it possible for authenticated attackers, with administrator-level access and above, to inject a PHP Object. The additional presence of a POP chain allows attackers to execute code remotely. In certain configurations, this can be exploitable by lower level users. We confirmed that this plugin installed with Elementor makes it possible for users with contributor-level access and above to exploit this issue. | |||||
| CVE-2024-7435 | 2024-09-03 | N/A | 8.8 HIGH | ||
| The Attire theme for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 2.0.6 via deserialization of untrusted input. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject a PHP Object. No known POP chain is present in the vulnerable software. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code. | |||||
| CVE-2022-2440 | 2024-08-29 | N/A | 7.2 HIGH | ||
| The Theme Editor plugin for WordPress is vulnerable to deserialization of untrusted input via the 'images_array' parameter in versions up to, and including 2.8. This makes it possible for authenticated attackers with administrative privileges to call files using a PHAR wrapper that will deserialize and call arbitrary PHP Objects that can be used to perform a variety of malicious actions granted a POP chain is also present. It also requires that the attacker is successful in uploading a file with the serialized payload. | |||||
| CVE-2024-42362 | 1 Apache | 1 Hertzbeat | 2024-08-28 | N/A | 8.8 HIGH |
| Hertzbeat is an open source, real-time monitoring system. Hertzbeat has an authenticated (user role) RCE via unsafe deserialization in /api/monitors/import. This vulnerability is fixed in 1.6.0. | |||||
| CVE-2024-8030 | 2024-08-28 | N/A | 9.8 CRITICAL | ||
| The Ultimate Store Kit Elementor Addons, Woocommerce Builder, EDD Builder, Elementor Store Builder, Product Grid, Product Table, Woocommerce Slider plugin is vulnerable to PHP Object Injection via deserialization of untrusted input via the _ultimate_store_kit_wishlist cookie in versions up to , and including, 2.0.3. This makes it possible for an unauthenticated attacker to inject a PHP Object. No POP chain is present in the vulnerable plugin. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker or above to delete arbitrary files, retrieve sensitive data, or execute code. | |||||
| CVE-2024-5932 | 1 Givewp | 1 Givewp | 2024-08-26 | N/A | 10.0 CRITICAL |
| The GiveWP – Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 3.14.1 via deserialization of untrusted input from the 'give_title' parameter. This makes it possible for unauthenticated attackers to inject a PHP Object. The additional presence of a POP chain allows attackers to execute code remotely, and to delete arbitrary files. | |||||
| CVE-2024-36131 | 1 Ivanti | 1 Endpoint Manager Mobile | 2024-08-21 | N/A | 8.8 HIGH |
| An insecure deserialization vulnerability in web component of EPMM prior to 12.1.0.1 allows an authenticated remote attacker to execute arbitrary commands on the underlying operating system of the appliance. | |||||
| CVE-2024-8003 | 1 Gotribe | 1 Gotribe-admin | 2024-08-21 | 2.7 LOW | 3.5 LOW |
| A vulnerability was found in Go-Tribe gotribe-admin 1.0 and classified as problematic. Affected by this issue is the function InitRoutes of the file internal/app/routes/routes.go of the component Log Handler. The manipulation leads to deserialization. The patch is identified as 45ac90d6d1f82716f77dbcdf8e7309c229080e3c. It is recommended to apply a patch to fix this issue. | |||||
| CVE-2024-5335 | 2024-08-21 | N/A | 9.8 CRITICAL | ||
| The Ultimate Store Kit Elementor Addons, Woocommerce Builder, EDD Builder, Elementor Store Builder, Product Grid, Product Table, Woocommerce Slider plugin is vulnerable to PHP Object Injection via deserialization of untrusted input via the _ultimate_store_kit_compare_products cookie in versions up to , and including, 1.6.4. This makes it possible for an unauthenticated attacker to inject a PHP Object. No POP chain is present in the vulnerable plugin. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker or above to delete arbitrary files, retrieve sensitive data, or execute code. | |||||
| CVE-2024-42363 | 2024-08-21 | N/A | 8.8 HIGH | ||
| Prior to 3385, the user-controlled role parameter enters the application in the Kubernetes::RoleVerificationsController. The role parameter flows into the RoleConfigFile initializer and then into the Kubernetes::Util.parse_file method where it is unsafely deserialized using the YAML.load_stream method. This issue may lead to Remote Code Execution (RCE). This vulnerability is fixed in 3385. | |||||
| CVE-2024-43354 | 2024-08-20 | N/A | 9.8 CRITICAL | ||
| Deserialization of Untrusted Data vulnerability in myCred allows Object Injection.This issue affects myCred: from n/a through 2.7.2. | |||||