Total
1810 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2018-8013 | 4 Apache, Canonical, Debian and 1 more | 21 Batik, Ubuntu Linux, Debian Linux and 18 more | 2024-11-21 | N/A |
| In Apache Batik 1.x before 1.10, when deserializing subclass of `AbstractDocument`, the class takes a string from the inputStream as the class name which then use it to call the no-arg constructor of the class. Fix was to check the class type before calling newInstance in deserialization. | ||||
| CVE-2018-7891 | 2 Milestonesys, Siemens | 2 Xprotect, Siveillance Vms | 2024-11-21 | N/A |
| The Milestone XProtect Video Management Software (Corporate, Expert, Professional+, Express+, Essential+) 2016 R1 (10.0.a) to 2018 R1 (12.1a) contains .NET Remoting endpoints that are vulnerable to deserialization attacks resulting in remote code execution. | ||||
| CVE-2018-7889 | 1 Calibre-ebook | 1 Calibre | 2024-11-21 | N/A |
| gui2/viewer/bookmarkmanager.py in Calibre 3.18 calls cPickle.load on imported bookmark data, which allows remote attackers to execute arbitrary code via a crafted .pickle file, as demonstrated by Python code that contains an os.system call. | ||||
| CVE-2018-7529 | 1 Osisoft | 1 Pi Data Archive | 2024-11-21 | N/A |
| A Deserialization of Untrusted Data issue was discovered in OSIsoft PI Data Archive versions 2017 and prior. Unauthenticated users may modify deserialized data to send custom requests that crash the server. | ||||
| CVE-2018-7489 | 4 Debian, Fasterxml, Oracle and 1 more | 10 Debian Linux, Jackson-databind, Communications Billing And Revenue Management and 7 more | 2024-11-21 | N/A |
| FasterXML jackson-databind before 2.7.9.3, 2.8.x before 2.8.11.1 and 2.9.x before 2.9.5 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 deserialization flaw. This is exploitable by sending maliciously crafted JSON input to the readValue method of the ObjectMapper, bypassing a blacklist that is ineffective if the c3p0 libraries are available in the classpath. | ||||
| CVE-2018-6497 | 1 Microfocus | 2 Cms Server, Universal Cmbd Server | 2024-11-21 | 8.8 High |
| Remote Cross-site Request forgery (CSRF) potential has been identified in UCMBD Server version DDM Content Pack V 10.20, 10.21, 10.22, 10.22 CUP7, 10.30, 10.31, 10.32, 10.33, 10.33 CUP2, 11.0 and CMS Server version 2018.05 BACKGROUND which could allow for remote unsafe deserialization and cross-site request forgery (CSRF). | ||||
| CVE-2018-6496 | 1 Microfocus | 1 Universal Cmbd Browser | 2024-11-21 | 8.8 High |
| Remote Cross-site Request forgery (CSRF) potential has been identified in UCMBD Browser version 4.10, 4.11, 4.12, 4.13, 4.14, 4.15, 4.15.1 which could allow for remote unsafe deserialization and cross-site request forgery (CSRF). | ||||
| CVE-2018-6331 | 1 Facebook | 1 Buck | 2024-11-21 | N/A |
| Buck parser-cache command loads/saves state using Java serialized object. If the state information is maliciously crafted, deserializing it could lead to code execution. This issue affects Buck versions prior to v2018.06.25.01. | ||||
| CVE-2018-6162 | 4 Apple, Debian, Google and 1 more | 7 Macos, Debian Linux, Chrome and 4 more | 2024-11-21 | N/A |
| Improper deserialization in WebGL in Google Chrome on Mac prior to 68.0.3440.75 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. | ||||
| CVE-2018-5968 | 4 Debian, Fasterxml, Netapp and 1 more | 12 Debian Linux, Jackson-databind, E-series Santricity Os Controller and 9 more | 2024-11-21 | 8.1 High |
| FasterXML jackson-databind through 2.8.11 and 2.9.x through 2.9.3 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 and CVE-2017-17485 deserialization flaws. This is exploitable via two different gadgets that bypass a blacklist. | ||||
| CVE-2018-3972 | 1 Getmonero | 1 Monero | 2024-11-21 | 9.8 Critical |
| An exploitable code execution vulnerability exists in the Levin deserialization functionality of the Epee library, as used in Monero 'Lithium Luna' (v0.12.2.0-master-ffab6700) and other cryptocurrencies. A specially crafted network packet can cause a logic flaw, resulting in code execution. An attacker can send a packet to trigger this vulnerability. | ||||
| CVE-2018-3784 | 1 Cryo Project | 1 Cryo | 2024-11-21 | 9.8 Critical |
| A code injection in cryo 0.0.6 allows an attacker to arbitrarily execute code due to insecure implementation of deserialization. | ||||
| CVE-2018-3245 | 1 Oracle | 1 Weblogic Server | 2024-11-21 | N/A |
| Vulnerability in the Oracle WebLogic Server component of Oracle Fusion Middleware (subcomponent: WLS Core Components). Supported versions that are affected are 10.3.6.0, 12.1.3.0 and 12.2.1.3. Easily exploitable vulnerability allows unauthenticated attacker with network access via T3 to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in takeover of Oracle WebLogic Server. CVSS 3.0 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). | ||||
| CVE-2018-2794 | 6 Canonical, Debian, Hp and 3 more | 18 Ubuntu Linux, Debian Linux, Xp7 Command View and 15 more | 2024-11-21 | 7.7 High |
| Vulnerability in the Java SE, JRockit component of Oracle Java SE (subcomponent: Security). Supported versions that are affected are Java SE: 6u181, 7u171, 8u162, 10 and JRockit: R28.3.17. Difficult to exploit vulnerability allows unauthenticated attacker with logon to the infrastructure where Java SE, JRockit executes to compromise Java SE, JRockit. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Java SE, JRockit, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Java SE, JRockit. Note: Applies to client and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service. CVSS 3.0 Base Score 7.7 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H). | ||||
| CVE-2018-2637 | 6 Canonical, Debian, Hp and 3 more | 20 Ubuntu Linux, Debian Linux, Xp7 Command View and 17 more | 2024-11-21 | 7.4 High |
| Vulnerability in the Java SE, Java SE Embedded, JRockit component of Oracle Java SE (subcomponent: JMX). Supported versions that are affected are Java SE: 6u171, 7u161, 8u152 and 9.0.1; Java SE Embedded: 8u151; JRockit: R28.3.16. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded, JRockit. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Java SE, Java SE Embedded, JRockit accessible data as well as unauthorized access to critical data or complete access to all Java SE, Java SE Embedded, JRockit accessible data. Note: This vulnerability can only be exploited by supplying data to APIs in the specified Component without using Untrusted Java Web Start applications or Untrusted Java applets, such as through a web service. CVSS 3.0 Base Score 7.4 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N). | ||||
| CVE-2018-21234 | 2 Apache, Jodd | 2 Hive, Jodd | 2024-11-21 | 9.8 Critical |
| Jodd before 5.0.4 performs Deserialization of Untrusted JSON Data when setClassMetadataName is set. | ||||
| CVE-2018-20987 | 1 Tribulant | 1 Newsletters | 2024-11-21 | N/A |
| The newsletters-lite plugin before 4.6.8.6 for WordPress has PHP object injection. | ||||
| CVE-2018-20984 | 1 Patreon | 1 Patreon Wordpress | 2024-11-21 | N/A |
| The patreon-connect plugin before 1.2.2 for WordPress has Object Injection. | ||||
| CVE-2018-20732 | 6 Hpe, Ibm, Linux and 3 more | 6 Hp-ux Ipfilter, Aix, Linux Kernel and 3 more | 2024-11-21 | N/A |
| SAS Web Infrastructure Platform before 9.4M6 allows remote attackers to execute arbitrary code via a Java deserialization variant. | ||||
| CVE-2018-20718 | 1 Pydio | 1 Pydio | 2024-11-21 | N/A |
| In Pydio before 8.2.2, an attack is possible via PHP Object Injection because a user is allowed to use the $phpserial$a:0:{} syntax to store a preference. An attacker either needs a "public link" of a file, or access to any unprivileged user account for creation of such a link. | ||||