Vulnerabilities > Deserialization of Untrusted Data

DATE CVE VULNERABILITY TITLE RISK
2023-11-03 CVE-2023-46817 Deserialization of Untrusted Data vulnerability in PHPfox
An issue was discovered in phpFox before 4.8.14.
network
low complexity
phpfox CWE-502
critical
9.8
2023-11-02 CVE-2023-47204 Deserialization of Untrusted Data vulnerability in Toumorokoshi Transmute-Core
Unsafe YAML deserialization in yaml.Loader in transmute-core before 1.13.5 allows attackers to execute arbitrary Python code.
network
low complexity
toumorokoshi CWE-502
critical
9.8
2023-11-01 CVE-2023-1714 Deserialization of Untrusted Data vulnerability in Bitrix24 22.0.300
Unsafe variable extraction in bitrix/modules/main/classes/general/user_options.php in Bitrix24 22.0.300 allows remote authenticated attackers to execute arbitrary code via (1) appending arbitrary content to existing PHP files or (2) PHAR deserialization.
network
low complexity
bitrix24 CWE-502
8.8
2023-10-31 CVE-2023-47174 Deserialization of Untrusted Data vulnerability in Thorntech Sftp Gateway Firmware
Thorn SFTP gateway 3.4.x before 3.4.4 uses Pivotal Spring Framework for Java deserialization of untrusted data, which is not supported by Pivotal, a related issue to CVE-2016-1000027.
network
low complexity
thorntech CWE-502
critical
9.8
2023-10-27 CVE-2023-40121 Deserialization of Untrusted Data vulnerability in Google Android
In appendEscapedSQLString of DatabaseUtils.java, there is a possible SQL injection due to unsafe deserialization.
local
low complexity
google CWE-502
5.5
2023-10-20 CVE-2022-3342 Deserialization of Untrusted Data vulnerability in Automattic Jetpack CRM
The Jetpack CRM plugin for WordPress is vulnerable to PHAR deserialization via the ‘zbscrmcsvimpf’ parameter in the 'zeroBSCRM_CSVImporterLitehtml_app' function in versions up to, and including, 5.3.1.
network
low complexity
automattic CWE-502
8.8
2023-10-20 CVE-2023-4386 Deserialization of Untrusted Data vulnerability in Wpdeveloper Essential Blocks
The Essential Blocks plugin for WordPress is vulnerable to PHP Object Injection in versions up to, and including, 4.2.0 via deserialization of untrusted input in the get_posts function.
network
high complexity
wpdeveloper CWE-502
8.1
2023-10-20 CVE-2023-39680 Deserialization of Untrusted Data vulnerability in Sollace Unicopia 1.1.1
Sollace Unicopia version 1.1.1 and before was discovered to deserialize untrusted data, allowing attackers to execute arbitrary code.
network
low complexity
sollace CWE-502
critical
9.8
2023-10-20 CVE-2023-4402 Deserialization of Untrusted Data vulnerability in Wpdeveloper Essential Blocks and Essential Blocks PRO
The Essential Blocks plugin for WordPress is vulnerable to PHP Object Injection in versions up to, and including, 4.2.0 via deserialization of untrusted input in the get_products function.
network
low complexity
wpdeveloper CWE-502
critical
9.8
2023-10-20 CVE-2023-34052 Deserialization of Untrusted Data vulnerability in VMWare Aria Operations for Logs
VMware Aria Operations for Logs contains a deserialization vulnerability. A malicious actor with non-administrative access to the local system can trigger the deserialization of data which could result in authentication bypass.
local
low complexity
vmware CWE-502
7.8