Total
1943 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2021-24280 | 1 Querysol | 1 Redirection For Contact Form 7 | 2024-11-21 | 8.8 High |
| In the Redirection for Contact Form 7 WordPress plugin before 2.3.4, any authenticated user, such as a subscriber, could use the import_from_debug AJAX action to inject PHP objects. | ||||
| CVE-2021-24217 | 1 Facebook | 1 Facebook | 2024-11-21 | 8.1 High |
| The run_action function of the Facebook for WordPress plugin before 3.0.0 deserializes user supplied data making it possible for PHP objects to be supplied creating an Object Injection vulnerability. There was also a useable magic method in the plugin that could be used to achieve remote code execution. | ||||
| CVE-2021-24066 | 1 Microsoft | 3 Sharepoint Enterprise Server, Sharepoint Foundation, Sharepoint Server | 2024-11-21 | 8.8 High |
| Microsoft SharePoint Remote Code Execution Vulnerability | ||||
| CVE-2021-24040 | 1 Facebook | 1 Parlai | 2024-11-21 | 9.8 Critical |
| Due to use of unsafe YAML deserialization logic, an attacker with the ability to modify local YAML configuration files could provide malicious input, resulting in remote code execution or similar risks. This issue affects ParlAI prior to v1.1.0. | ||||
| CVE-2021-23895 | 1 Mcafee | 1 Database Security | 2024-11-21 | 9 Critical |
| Deserialization of untrusted data vulnerability in McAfee Database Security (DBSec) prior to 4.8.2 allows a remote authenticated attacker to create a reverse shell with administrator privileges on the DBSec server via carefully constructed Java serialized object sent to the DBSec server. | ||||
| CVE-2021-23894 | 1 Mcafee | 1 Database Security | 2024-11-21 | 9.6 Critical |
| Deserialization of untrusted data vulnerability in McAfee Database Security (DBSec) prior to 4.8.2 allows a remote unauthenticated attacker to create a reverse shell with administrator privileges on the DBSec server via carefully constructed Java serialized object sent to the DBSec server. | ||||
| CVE-2021-23758 | 1 Ajaxpro.2 Project | 1 Ajaxpro.2 | 2024-11-21 | 8.1 High |
| All versions of package ajaxpro.2 are vulnerable to Deserialization of Untrusted Data due to the possibility of deserialization of arbitrary .NET classes, which can be abused to gain remote code execution. | ||||
| CVE-2021-23592 | 1 Thinkphp | 1 Thinkphp | 2024-11-21 | 7.7 High |
| The package topthink/framework before 6.0.12 are vulnerable to Deserialization of Untrusted Data due to insecure unserialize method in the Driver class. | ||||
| CVE-2021-23420 | 1 Codeception | 1 Codeception | 2024-11-21 | 7.7 High |
| This affects the package codeception/codeception from 4.0.0 and before 4.1.22, before 3.1.3. The RunProcess class can be leveraged as a gadget to run arbitrary commands on a system that is deserializing user input without validation. | ||||
| CVE-2021-23338 | 1 Microsoft | 1 Qlib | 2024-11-21 | 6.6 Medium |
| This affects all versions of package qlib. The workflow function in cli part of qlib was using an unsafe YAML load function. | ||||
| CVE-2021-22855 | 1 Hr Portal Project | 1 Hr Portal | 2024-11-21 | 9.8 Critical |
| The specific function of HR Portal of Soar Cloud System accepts any type of object to be deserialized. Attackers can send malicious serialized objects to execute arbitrary commands. | ||||
| CVE-2021-22777 | 1 Schneider-electric | 1 Sosafe Configurable | 2024-11-21 | 7.8 High |
| A CWE-502: Deserialization of Untrusted Data vulnerability exists that could cause code execution by opening a malicious project file. | ||||
| CVE-2021-22439 | 1 Huawei | 1 Anyoffice | 2024-11-21 | 8.1 High |
| There is a deserialization vulnerability in Huawei AnyOffice V200R006C10. An attacker can construct a specific request to exploit this vulnerability. Successfully exploiting this vulnerability, the attacker can execute remote malicious code injection and to control the device. | ||||
| CVE-2021-22097 | 1 Vmware | 1 Spring Advanced Message Queuing Protocol | 2024-11-21 | 6.5 Medium |
| In Spring AMQP versions 2.2.0 - 2.2.18 and 2.3.0 - 2.3.10, the Spring AMQP Message object, in its toString() method, will deserialize a body for a message with content type application/x-java-serialized-object. It is possible to construct a malicious java.util.Dictionary object that can cause 100% CPU usage in the application if the toString() method is called. | ||||
| CVE-2021-22095 | 1 Vmware | 1 Spring Advanced Message Queuing Protocol | 2024-11-21 | 6.5 Medium |
| In Spring AMQP versions 2.2.0 - 2.2.19 and 2.3.0 - 2.3.11, the Spring AMQP Message object, in its toString() method, will create a new String object from the message body, regardless of its size. This can cause an OOM Error with a large message | ||||
| CVE-2021-21869 | 1 Codesys | 1 Codesys | 2024-11-21 | 7.8 High |
| An unsafe deserialization vulnerability exists in the Engine.plugin ProfileInformation ProfileData functionality of CODESYS GmbH CODESYS Development System 3.5.16 and 3.5.17. A specially crafted file can lead to arbitrary command execution. An attacker can provide a malicious file to trigger this vulnerability. | ||||
| CVE-2021-21868 | 1 Codesys | 1 Codesys | 2024-11-21 | 7.8 High |
| An unsafe deserialization vulnerability exists in the ObjectManager.plugin Project.get_MissingTypes() functionality of CODESYS GmbH CODESYS Development System 3.5.16 and 3.5.17. A specially crafted file can lead to arbitrary command execution. An attacker can provide a malicious file to trigger this vulnerability. | ||||
| CVE-2021-21867 | 1 Codesys | 1 Codesys | 2024-11-21 | 7.8 High |
| An unsafe deserialization vulnerability exists in the ObjectManager.plugin ObjectStream.ProfileByteArray functionality of CODESYS GmbH CODESYS Development System 3.5.16 and 3.5.17. A specially crafted file can lead to arbitrary command execution. An attacker can provide a malicious file to trigger this vulnerability. | ||||
| CVE-2021-21866 | 1 Codesys | 1 Development System | 2024-11-21 | 7.8 High |
| A unsafe deserialization vulnerability exists in the ObjectManager.plugin ProfileInformation.ProfileData functionality of CODESYS GmbH CODESYS Development System 3.5.16 and 3.5.17. A specially crafted file can lead to arbitrary command execution. An attacker can provide a malicious file to trigger this vulnerability. | ||||
| CVE-2021-21865 | 1 Codesys | 1 Development System | 2024-11-21 | 7.8 High |
| A unsafe deserialization vulnerability exists in the PackageManagement.plugin ExtensionMethods.Clone() functionality of CODESYS GmbH CODESYS Development System 3.5.16. A specially crafted file can lead to arbitrary command execution. An attacker can provide a malicious file to trigger this vulnerability. | ||||