Vulnerabilities > Deserialization of Untrusted Data
DATE | CVE | VULNERABILITY TITLE | RISK |
---|---|---|---|
2023-10-19 | CVE-2023-34050 | Deserialization of Untrusted Data vulnerability in VMWare Spring Advanced Message Queuing Protocol In spring AMQP versions 1.0.0 to 2.4.16 and 3.0.0 to 3.0.9 , allowed list patterns for deserializable class names were added to Spring AMQP, allowing users to lock down deserialization of data in messages from untrusted sources; however by default, when no allowed list was provided, all classes could be deserialized. Specifically, an application is vulnerable if * the SimpleMessageConverter or SerializerMessageConverter is used * the user does not configure allowed list patterns * untrusted message originators gain permissions to write messages to the RabbitMQ broker to send malicious content | 4.3 |
2023-10-18 | CVE-2023-45146 | Deserialization of Untrusted Data vulnerability in Xxl-Rpc Project Xxl-Rpc XXL-RPC is a high performance, distributed RPC framework. | 10.0 |
2023-10-18 | CVE-2023-35084 | Deserialization of Untrusted Data vulnerability in Ivanti Endpoint Manager Unsafe Deserialization of User Input could lead to Execution of Unauthorized Operations in Ivanti Endpoint Manager 2022 su3 and all previous versions, which could allow an attacker to execute commands remotely. | 9.8 |
2023-10-16 | CVE-2023-4971 | Deserialization of Untrusted Data vulnerability in Weavertheme Weaver Xtreme Theme Support The Weaver Xtreme Theme Support WordPress plugin before 6.3.1 unserialises the content of an imported file, which could lead to PHP object injections issues when a high privilege user import a malicious file and a suitable gadget chain is present on the blog. | 7.2 |
2023-10-06 | CVE-2023-26153 | Deserialization of Untrusted Data vulnerability in Geokit Geokit-Rails Versions of the package geokit-rails before 2.5.0 are vulnerable to Command Injection due to unsafe deserialisation of YAML within the 'geo_location' cookie. | 9.8 |
2023-10-05 | CVE-2023-43981 | Deserialization of Untrusted Data vulnerability in Presto-Changeo Test Site Creator 1.1.1 Presto Changeo testsitecreator up to 1.1.1 was discovered to contain a deserialization vulnerability via the component delete_excluded_folder.php. | 9.8 |
2023-10-03 | CVE-2023-43176 | Deserialization of Untrusted Data vulnerability in Afterlogic Aurora Files 9.7.3 A deserialization vulnerability in Afterlogic Aurora Files v9.7.3 allows attackers to execute arbitrary code via supplying a crafted .sabredav file. | 8.8 |
2023-10-02 | CVE-2023-43268 | Deserialization of Untrusted Data vulnerability in Deyue Remote Vehicle Management System Project Deyue Remote Vehicle Management System 1.1 Deyue Remote Vehicle Management System v1.1 was discovered to contain a deserialization vulnerability. | 8.8 |
2023-09-28 | CVE-2023-44273 | Deserialization of Untrusted Data vulnerability in Consensys Gnark-Crypto Consensys gnark-crypto through 0.11.2 allows Signature Malleability. | 9.8 |
2023-09-27 | CVE-2023-43291 | Deserialization of Untrusted Data vulnerability in Emlog Deserialization of Untrusted Data in emlog pro v.2.1.15 and earlier allows a remote attacker to execute arbitrary code via the cache.php component. | 9.8 |