Vulnerabilities > Deserialization of Untrusted Data

DATE CVE VULNERABILITY TITLE RISK
2023-10-19 CVE-2023-34050 Deserialization of Untrusted Data vulnerability in VMWare Spring Advanced Message Queuing Protocol
In spring AMQP versions 1.0.0 to 2.4.16 and 3.0.0 to 3.0.9 , allowed list patterns for deserializable class names were added to Spring AMQP, allowing users to lock down deserialization of data in messages from untrusted sources; however by default, when no allowed list was provided, all classes could be deserialized. Specifically, an application is vulnerable if * the SimpleMessageConverter or SerializerMessageConverter is used * the user does not configure allowed list patterns * untrusted message originators gain permissions to write messages to the RabbitMQ broker to send malicious content
network
low complexity
vmware CWE-502
4.3
2023-10-18 CVE-2023-45146 Deserialization of Untrusted Data vulnerability in Xxl-Rpc Project Xxl-Rpc
XXL-RPC is a high performance, distributed RPC framework.
network
low complexity
xxl-rpc-project CWE-502
critical
10.0
2023-10-18 CVE-2023-35084 Deserialization of Untrusted Data vulnerability in Ivanti Endpoint Manager
Unsafe Deserialization of User Input could lead to Execution of Unauthorized Operations in Ivanti Endpoint Manager 2022 su3 and all previous versions, which could allow an attacker to execute commands remotely.
network
low complexity
ivanti CWE-502
critical
9.8
2023-10-16 CVE-2023-4971 Deserialization of Untrusted Data vulnerability in Weavertheme Weaver Xtreme Theme Support
The Weaver Xtreme Theme Support WordPress plugin before 6.3.1 unserialises the content of an imported file, which could lead to PHP object injections issues when a high privilege user import a malicious file and a suitable gadget chain is present on the blog.
network
low complexity
weavertheme CWE-502
7.2
2023-10-06 CVE-2023-26153 Deserialization of Untrusted Data vulnerability in Geokit Geokit-Rails
Versions of the package geokit-rails before 2.5.0 are vulnerable to Command Injection due to unsafe deserialisation of YAML within the 'geo_location' cookie.
network
low complexity
geokit CWE-502
critical
9.8
2023-10-05 CVE-2023-43981 Deserialization of Untrusted Data vulnerability in Presto-Changeo Test Site Creator 1.1.1
Presto Changeo testsitecreator up to 1.1.1 was discovered to contain a deserialization vulnerability via the component delete_excluded_folder.php.
network
low complexity
presto-changeo CWE-502
critical
9.8
2023-10-03 CVE-2023-43176 Deserialization of Untrusted Data vulnerability in Afterlogic Aurora Files 9.7.3
A deserialization vulnerability in Afterlogic Aurora Files v9.7.3 allows attackers to execute arbitrary code via supplying a crafted .sabredav file.
network
low complexity
afterlogic CWE-502
8.8
2023-10-02 CVE-2023-43268 Deserialization of Untrusted Data vulnerability in Deyue Remote Vehicle Management System Project Deyue Remote Vehicle Management System 1.1
Deyue Remote Vehicle Management System v1.1 was discovered to contain a deserialization vulnerability.
8.8
2023-09-28 CVE-2023-44273 Deserialization of Untrusted Data vulnerability in Consensys Gnark-Crypto
Consensys gnark-crypto through 0.11.2 allows Signature Malleability.
network
low complexity
consensys CWE-502
critical
9.8
2023-09-27 CVE-2023-43291 Deserialization of Untrusted Data vulnerability in Emlog
Deserialization of Untrusted Data in emlog pro v.2.1.15 and earlier allows a remote attacker to execute arbitrary code via the cache.php component.
network
low complexity
emlog CWE-502
critical
9.8