Export limit exceeded: 16271 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (2537 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2021-24217 | 1 Facebook | 1 Facebook | 2024-11-21 | 8.1 High |
| The run_action function of the Facebook for WordPress plugin before 3.0.0 deserializes user supplied data making it possible for PHP objects to be supplied creating an Object Injection vulnerability. There was also a useable magic method in the plugin that could be used to achieve remote code execution. | ||||
| CVE-2021-24066 | 1 Microsoft | 3 Sharepoint Enterprise Server, Sharepoint Foundation, Sharepoint Server | 2024-11-21 | 8.8 High |
| Microsoft SharePoint Remote Code Execution Vulnerability | ||||
| CVE-2021-24040 | 1 Facebook | 1 Parlai | 2024-11-21 | 9.8 Critical |
| Due to use of unsafe YAML deserialization logic, an attacker with the ability to modify local YAML configuration files could provide malicious input, resulting in remote code execution or similar risks. This issue affects ParlAI prior to v1.1.0. | ||||
| CVE-2021-23895 | 1 Mcafee | 1 Database Security | 2024-11-21 | 9 Critical |
| Deserialization of untrusted data vulnerability in McAfee Database Security (DBSec) prior to 4.8.2 allows a remote authenticated attacker to create a reverse shell with administrator privileges on the DBSec server via carefully constructed Java serialized object sent to the DBSec server. | ||||
| CVE-2021-23894 | 1 Mcafee | 1 Database Security | 2024-11-21 | 9.6 Critical |
| Deserialization of untrusted data vulnerability in McAfee Database Security (DBSec) prior to 4.8.2 allows a remote unauthenticated attacker to create a reverse shell with administrator privileges on the DBSec server via carefully constructed Java serialized object sent to the DBSec server. | ||||
| CVE-2021-23758 | 1 Ajaxpro.2 Project | 1 Ajaxpro.2 | 2024-11-21 | 8.1 High |
| All versions of package ajaxpro.2 are vulnerable to Deserialization of Untrusted Data due to the possibility of deserialization of arbitrary .NET classes, which can be abused to gain remote code execution. | ||||
| CVE-2021-23592 | 1 Thinkphp | 1 Thinkphp | 2024-11-21 | 7.7 High |
| The package topthink/framework before 6.0.12 are vulnerable to Deserialization of Untrusted Data due to insecure unserialize method in the Driver class. | ||||
| CVE-2021-23420 | 1 Codeception | 1 Codeception | 2024-11-21 | 7.7 High |
| This affects the package codeception/codeception from 4.0.0 and before 4.1.22, before 3.1.3. The RunProcess class can be leveraged as a gadget to run arbitrary commands on a system that is deserializing user input without validation. | ||||
| CVE-2021-23338 | 1 Microsoft | 1 Qlib | 2024-11-21 | 6.6 Medium |
| This affects all versions of package qlib. The workflow function in cli part of qlib was using an unsafe YAML load function. | ||||
| CVE-2021-22887 | 2 Pulsesecure, Supermicro | 24 Psa-5000, Psa-5000 Firmware, Psa-7000 and 21 more | 2024-11-21 | 2.3 Low |
| A vulnerability in the BIOS of Pulse Secure (PSA-Series Hardware) models PSA5000 and PSA7000 could allow an attacker to compromise BIOS firmware. This vulnerability can be exploited only as part of an attack chain. Before an attacker can compromise the BIOS, they must exploit the device. | ||||
| CVE-2021-22855 | 1 Hr Portal Project | 1 Hr Portal | 2024-11-21 | 9.8 Critical |
| The specific function of HR Portal of Soar Cloud System accepts any type of object to be deserialized. Attackers can send malicious serialized objects to execute arbitrary commands. | ||||
| CVE-2021-22777 | 1 Schneider-electric | 1 Sosafe Configurable | 2024-11-21 | 7.8 High |
| A CWE-502: Deserialization of Untrusted Data vulnerability exists that could cause code execution by opening a malicious project file. | ||||
| CVE-2021-22439 | 1 Huawei | 1 Anyoffice | 2024-11-21 | 8.1 High |
| There is a deserialization vulnerability in Huawei AnyOffice V200R006C10. An attacker can construct a specific request to exploit this vulnerability. Successfully exploiting this vulnerability, the attacker can execute remote malicious code injection and to control the device. | ||||
| CVE-2021-22097 | 1 Vmware | 1 Spring Advanced Message Queuing Protocol | 2024-11-21 | 6.5 Medium |
| In Spring AMQP versions 2.2.0 - 2.2.18 and 2.3.0 - 2.3.10, the Spring AMQP Message object, in its toString() method, will deserialize a body for a message with content type application/x-java-serialized-object. It is possible to construct a malicious java.util.Dictionary object that can cause 100% CPU usage in the application if the toString() method is called. | ||||
| CVE-2021-22095 | 1 Vmware | 1 Spring Advanced Message Queuing Protocol | 2024-11-21 | 6.5 Medium |
| In Spring AMQP versions 2.2.0 - 2.2.19 and 2.3.0 - 2.3.11, the Spring AMQP Message object, in its toString() method, will create a new String object from the message body, regardless of its size. This can cause an OOM Error with a large message | ||||
| CVE-2021-21869 | 1 Codesys | 1 Codesys | 2024-11-21 | 7.8 High |
| An unsafe deserialization vulnerability exists in the Engine.plugin ProfileInformation ProfileData functionality of CODESYS GmbH CODESYS Development System 3.5.16 and 3.5.17. A specially crafted file can lead to arbitrary command execution. An attacker can provide a malicious file to trigger this vulnerability. | ||||
| CVE-2021-21868 | 1 Codesys | 1 Codesys | 2024-11-21 | 7.8 High |
| An unsafe deserialization vulnerability exists in the ObjectManager.plugin Project.get_MissingTypes() functionality of CODESYS GmbH CODESYS Development System 3.5.16 and 3.5.17. A specially crafted file can lead to arbitrary command execution. An attacker can provide a malicious file to trigger this vulnerability. | ||||
| CVE-2021-21867 | 1 Codesys | 1 Codesys | 2024-11-21 | 7.8 High |
| An unsafe deserialization vulnerability exists in the ObjectManager.plugin ObjectStream.ProfileByteArray functionality of CODESYS GmbH CODESYS Development System 3.5.16 and 3.5.17. A specially crafted file can lead to arbitrary command execution. An attacker can provide a malicious file to trigger this vulnerability. | ||||
| CVE-2021-21866 | 1 Codesys | 1 Development System | 2024-11-21 | 7.8 High |
| A unsafe deserialization vulnerability exists in the ObjectManager.plugin ProfileInformation.ProfileData functionality of CODESYS GmbH CODESYS Development System 3.5.16 and 3.5.17. A specially crafted file can lead to arbitrary command execution. An attacker can provide a malicious file to trigger this vulnerability. | ||||
| CVE-2021-21865 | 1 Codesys | 1 Development System | 2024-11-21 | 7.8 High |
| A unsafe deserialization vulnerability exists in the PackageManagement.plugin ExtensionMethods.Clone() functionality of CODESYS GmbH CODESYS Development System 3.5.16. A specially crafted file can lead to arbitrary command execution. An attacker can provide a malicious file to trigger this vulnerability. | ||||