Total
1810 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2019-16894 | 1 Inoideas | 1 Inoerp | 2024-11-21 | 9.8 Critical |
| download.php in inoERP 4.15 allows SQL injection through insecure deserialization. | ||||
| CVE-2019-16891 | 1 Liferay | 1 Liferay Portal | 2024-11-21 | 9.8 Critical |
| Liferay Portal CE 6.2.5 allows remote command execution because of deserialization of a JSON payload. | ||||
| CVE-2019-16774 | 1 Phpfastcache | 1 Phpfastcache | 2024-11-21 | 4.4 Medium |
| In phpfastcache before 5.1.3, there is a possible object injection vulnerability in cookie driver. | ||||
| CVE-2019-16755 | 1 Bmc | 1 Myit Digital Workplace | 2024-11-21 | 9.8 Critical |
| BMC Remedy ITSM Suite is prone to unspecified vulnerabilities in both DWP and SmartIT components, which can permit remote attackers to perform pre-authenticated remote commands execution on the Operating System running the targeted application. Affected DWP versions: versions: 3.x to 18.x, all versions, service packs, and patches are affected by this vulnerability. Affected SmartIT versions: 1.x, 2.0, 18.05, 18.08, and 19.02, all versions, service packs, and patches are affected by this vulnerability. | ||||
| CVE-2019-16335 | 6 Debian, Fasterxml, Fedoraproject and 3 more | 26 Debian Linux, Jackson-databind, Fedora and 23 more | 2024-11-21 | 9.8 Critical |
| A Polymorphic Typing issue was discovered in FasterXML jackson-databind before 2.9.10. It is related to com.zaxxer.hikari.HikariDataSource. This is a different vulnerability than CVE-2019-14540. | ||||
| CVE-2019-16317 | 1 Pimcore | 1 Pimcore | 2024-11-21 | 8.8 High |
| In Pimcore before 5.7.1, an attacker with limited privileges can trigger execution of a .phar file via a phar:// URL in a filename parameter, because PHAR uploads are not blocked and are reachable within the phar://../../../../../../../../var/www/html/web/var/assets/ directory, a different vulnerability than CVE-2019-10867 and CVE-2019-16318. | ||||
| CVE-2019-16112 | 1 Tylertech | 1 Eagle | 2024-11-21 | 8.8 High |
| TylerTech Eagle 2018.3.11 deserializes untrusted user input, resulting in remote code execution via a crafted Java object to the recorder/ServiceManager?service=tyler.empire.settings.SettingManager URI. | ||||
| CVE-2019-15780 | 1 Strategy11 | 1 Formidable Form Builder | 2024-11-21 | 9.8 Critical |
| The formidable plugin before 4.02.01 for WordPress has unsafe deserialization. | ||||
| CVE-2019-15521 | 2 Fork-cms, Spoon-library | 2 Fork Cms, Spoon Library | 2024-11-21 | N/A |
| Spoon Library through 2014-02-06, as used in Fork CMS before 1.4.1 and other products, allows PHP object injection via a cookie containing an object. | ||||
| CVE-2019-15321 | 1 Optiontree Project | 1 Optiontree | 2024-11-21 | N/A |
| The option-tree plugin before 2.7.3 for WordPress has Object Injection because serialized classes are mishandled. | ||||
| CVE-2019-15320 | 1 Optiontree Project | 1 Optiontree | 2024-11-21 | N/A |
| The option-tree plugin before 2.7.3 for WordPress has Object Injection because the + character is mishandled. | ||||
| CVE-2019-15319 | 1 Optiontree Project | 1 Optiontree | 2024-11-21 | N/A |
| The option-tree plugin before 2.7.0 for WordPress has Object Injection by leveraging a valid nonce. | ||||
| CVE-2019-14893 | 4 Fasterxml, Netapp, Oracle and 1 more | 12 Jackson-databind, Oncommand Api Services, Steelstore Cloud Integrated Storage and 9 more | 2024-11-21 | 9.8 Critical |
| A flaw was discovered in FasterXML jackson-databind in all versions before 2.9.10 and 2.10.0, where it would permit polymorphic deserialization of malicious objects using the xalan JNDI gadget when used in conjunction with polymorphic type handling methods such as `enableDefaultTyping()` or when @JsonTypeInfo is using `Id.CLASS` or `Id.MINIMAL_CLASS` or in any other way which ObjectMapper.readValue might instantiate objects from unsafe sources. An attacker could use this flaw to execute arbitrary code. | ||||
| CVE-2019-14892 | 3 Apache, Fasterxml, Redhat | 13 Geode, Jackson-databind, Decision Manager and 10 more | 2024-11-21 | 9.8 Critical |
| A flaw was discovered in jackson-databind in versions before 2.9.10, 2.8.11.5 and 2.6.7.3, where it would permit polymorphic deserialization of a malicious object using commons-configuration 1 and 2 JNDI classes. An attacker could use this flaw to execute arbitrary code. | ||||
| CVE-2019-14540 | 6 Debian, Fasterxml, Fedoraproject and 3 more | 28 Debian Linux, Jackson-databind, Fedora and 25 more | 2024-11-21 | 9.8 Critical |
| A Polymorphic Typing issue was discovered in FasterXML jackson-databind before 2.9.10. It is related to com.zaxxer.hikari.HikariConfig. | ||||
| CVE-2019-14466 | 2 Debian, Gosa Project | 2 Debian Linux, Gosa | 2024-11-21 | 6.5 Medium |
| The GOsa_Filter_Settings cookie in GONICUS GOsa 2.7.5.2 is vulnerable to PHP objection injection, which allows a remote authenticated attacker to perform file deletions (in the context of the user account that runs the web server) via a crafted cookie value, because unserialize is used to restore filter settings from a cookie. | ||||
| CVE-2019-14439 | 6 Apache, Debian, Fasterxml and 3 more | 20 Drill, Debian Linux, Jackson-databind and 17 more | 2024-11-21 | 7.5 High |
| A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.x before 2.9.9.2. This occurs when Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the logback jar in the classpath. | ||||
| CVE-2019-14379 | 7 Apple, Debian, Fasterxml and 4 more | 37 Xcode, Debian Linux, Jackson-databind and 34 more | 2024-11-21 | 9.8 Critical |
| SubTypeValidator.java in FasterXML jackson-databind before 2.9.9.2 mishandles default typing when ehcache is used (because of net.sf.ehcache.transaction.manager.DefaultTransactionManagerLookup), leading to remote code execution. | ||||
| CVE-2019-14224 | 1 Alfresco | 1 Alfresco | 2024-11-21 | N/A |
| An issue was discovered in Alfresco Community Edition 5.2 201707. By leveraging multiple components in the Alfresco Software applications, an exploit chain was observed that allows an attacker to achieve remote code execution on the victim machine. The attacker must upload malicious Solr configuration files and then receive a JMX connection from the victim, and serve a Java object that results in deserialization and code execution. | ||||
| CVE-2019-13116 | 1 Mulesoft | 1 Mule Runtime | 2024-11-21 | 9.8 Critical |
| The MuleSoft Mule Community Edition runtime engine before 3.8 allows remote attackers to execute arbitrary code because of Java Deserialization, related to Apache Commons Collections | ||||