Total
1324 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2019-20453 | 1 Pydio | 1 Pydio | 2020-08-24 | 6.5 MEDIUM | 8.8 HIGH |
| A problem was found in Pydio Core before 8.2.4 and Pydio Enterprise before 8.2.4. A PHP object injection is present in the page plugins/uploader.http/HttpDownload.php. An authenticated user with basic privileges can inject objects and achieve remote code execution. | |||||
| CVE-2018-1000641 | 1 Yeswiki | 1 Yeswiki | 2020-08-24 | 7.5 HIGH | 9.8 CRITICAL |
| YesWiki version <= cercopitheque beta 1 contains a PHP Object Injection vulnerability in Unserialising user entered parameter in i18n.inc.php that can result in execution of code, disclosure of information. | |||||
| CVE-2019-15321 | 1 Optiontree Project | 1 Optiontree | 2020-08-24 | 7.5 HIGH | 9.8 CRITICAL |
| The option-tree plugin before 2.7.3 for WordPress has Object Injection because serialized classes are mishandled. | |||||
| CVE-2019-11945 | 1 Hp | 1 Intelligent Management Center | 2020-08-24 | 10.0 HIGH | 9.8 CRITICAL |
| A remote code execution vulnerability was identified in HPE Intelligent Management Center (IMC) PLAT earlier than version 7.3 E0506P09. | |||||
| CVE-2019-20452 | 1 Pydio | 1 Pydio | 2020-08-24 | 6.5 MEDIUM | 8.8 HIGH |
| A problem was found in Pydio Core before 8.2.4 and Pydio Enterprise before 8.2.4. A PHP object injection is present in the page plugins/core.access/src/RecycleBinManager.php. An authenticated user with basic privileges can inject objects and achieve remote code execution. | |||||
| CVE-2019-15319 | 1 Optiontree Project | 1 Optiontree | 2020-08-24 | 7.5 HIGH | 9.8 CRITICAL |
| The option-tree plugin before 2.7.0 for WordPress has Object Injection by leveraging a valid nonce. | |||||
| CVE-2019-1010306 | 1 Teller | 1 Slanger | 2020-08-24 | 7.5 HIGH | 9.8 CRITICAL |
| Slanger 0.6.0 is affected by: Remote Code Execution (RCE). The impact is: A remote attacker can execute arbitrary commands by sending a crafted request to the server. The component is: Message handler & request validator. The attack vector is: Remote unauthenticated. The fixed version is: after commit 5267b455caeb2e055cccf0d2b6a22727c111f5c3. | |||||
| CVE-2018-10085 | 1 Cmsmadesimple | 1 Cms Made Simple | 2020-08-24 | 7.5 HIGH | 9.8 CRITICAL |
| CMS Made Simple (CMSMS) through 2.2.6 allows PHP object injection because of an unserialize call in the _get_data function of \lib\classes\internal\class.LoginOperations.php. By sending a crafted cookie, a remote attacker can upload and execute code, or delete files. | |||||
| CVE-2019-0344 | 1 Sap | 1 Commerce Cloud | 2020-08-24 | 7.5 HIGH | 9.8 CRITICAL |
| Due to unsafe deserialization used in SAP Commerce Cloud (virtualjdbc extension), versions 6.4, 6.5, 6.6, 6.7, 1808, 1811, 1905, it is possible to execute arbitrary code on a target machine with 'Hybris' user rights, resulting in Code Injection. | |||||
| CVE-2019-11944 | 1 Hp | 1 Intelligent Management Center | 2020-08-24 | 10.0 HIGH | 9.8 CRITICAL |
| A remote code execution vulnerability was identified in HPE Intelligent Management Center (IMC) PLAT earlier than version 7.3 E0506P09. | |||||
| CVE-2019-0187 | 1 Apache | 1 Jmeter | 2020-08-24 | 7.5 HIGH | 9.8 CRITICAL |
| Unauthenticated RCE is possible when JMeter is used in distributed mode (-r or -R command line options). Attacker can establish a RMI connection to a jmeter-server using RemoteJMeterEngine and proceed with an attack using untrusted data deserialization. This only affect tests running in Distributed mode. Note that versions before 4.0 are not able to encrypt traffic between the nodes, nor authenticate the participating nodes so upgrade to JMeter 5.1 is also advised. | |||||
| CVE-2019-8662 | 1 Apple | 4 Iphone Os, Mac Os X, Tvos and 1 more | 2020-08-24 | 7.5 HIGH | 9.8 CRITICAL |
| This issue was addressed with improved checks. This issue is fixed in iOS 12.4, macOS Mojave 10.14.6, tvOS 12.4, watchOS 5.3. An attacker may be able to trigger a use-after-free in an application deserializing an untrusted NSDictionary. | |||||
| CVE-2019-17358 | 3 Cacti, Debian, Opensuse | 3 Cacti, Debian Linux, Leap | 2020-08-24 | 5.5 MEDIUM | 8.1 HIGH |
| Cacti through 1.2.7 is affected by multiple instances of lib/functions.php unsafe deserialization of user-controlled data to populate arrays. An authenticated attacker could use this to influence object data values and control actions taken by Cacti or potentially cause memory corruption in the PHP module. | |||||
| CVE-2018-20984 | 1 Patreon | 1 Patreon Wordpress | 2020-08-24 | 7.5 HIGH | 9.8 CRITICAL |
| The patreon-connect plugin before 1.2.2 for WordPress has Object Injection. | |||||
| CVE-2018-20718 | 1 Pydio | 1 Pydio | 2020-08-24 | 10.0 HIGH | 9.8 CRITICAL |
| In Pydio before 8.2.2, an attack is possible via PHP Object Injection because a user is allowed to use the $phpserial$a:0:{} syntax to store a preference. An attacker either needs a "public link" of a file, or access to any unprivileged user account for creation of such a link. | |||||
| CVE-2019-19909 | 1 Sfu | 1 Open Journal System | 2020-08-24 | 6.8 MEDIUM | 8.8 HIGH |
| An issue was discovered in Public Knowledge Project (PKP) pkp-lib before 3.1.2-2, as used in Open Journal Systems (OJS) before 3.1.2-2. Code injection can occur in the OJS report generator if an authenticated Journal Manager user visits a crafted URL, because unserialize is used. | |||||
| CVE-2019-14224 | 1 Alfresco | 1 Alfresco | 2020-08-24 | 9.0 HIGH | 7.2 HIGH |
| An issue was discovered in Alfresco Community Edition 5.2 201707. By leveraging multiple components in the Alfresco Software applications, an exploit chain was observed that allows an attacker to achieve remote code execution on the victim machine. The attacker must upload malicious Solr configuration files and then receive a JMX connection from the victim, and serve a Java object that results in deserialization and code execution. | |||||
| CVE-2019-9056 | 1 Cmsmadesimple | 1 Cms Made Simple | 2020-08-24 | 6.5 MEDIUM | 8.8 HIGH |
| An issue was discovered in CMS Made Simple 2.2.8. In the module FrontEndUsers (in the file class.FrontEndUsersManipulate.php or class.FrontEndUsersManipulator.php), it is possible to reach an unserialize call with an untrusted __FEU__ cookie, and achieve authenticated object injection. | |||||
| CVE-2019-16894 | 1 Inoideas | 1 Inoerp | 2020-08-24 | 7.5 HIGH | 9.8 CRITICAL |
| download.php in inoERP 4.15 allows SQL injection through insecure deserialization. | |||||
| CVE-2019-9365 | 1 Google | 1 Android | 2020-08-24 | 7.5 HIGH | 9.8 CRITICAL |
| In Bluetooth, there is a possible deserialization error due to missing string validation. This could lead to remote code execution with no additional execution privileges needed. User interaction is not needed for exploitation. Product: AndroidVersions: Android-10Android ID: A-109838537 | |||||