Vulnerabilities > Deserialization of Untrusted Data

DATE CVE VULNERABILITY TITLE RISK
2023-07-19 CVE-2023-28754 Deserialization of Untrusted Data vulnerability in Apache Shardingsphere
Deserialization of Untrusted Data vulnerability in Apache ShardingSphere-Agent, which allows attackers to execute arbitrary code by constructing a special YAML configuration file. The attacker needs to have permission to modify the ShardingSphere Agent YAML configuration file on the target machine, and the target machine can access the URL with the arbitrary code JAR. An attacker can use SnakeYAML to deserialize java.net.URLClassLoader and make it load a JAR from a specified URL, and then deserialize javax.script.ScriptEngineManager to load code using that ClassLoader.
network
low complexity
apache CWE-502
8.8
2023-07-13 CVE-2023-25770 Deserialization of Untrusted Data vulnerability in Honeywell C300 Firmware
Controller DoS may occur due to buffer overflow when an error is generated in response to a specially crafted message. See Honeywell Security Notification for recommendations on upgrading and versioning.
network
low complexity
honeywell CWE-502
7.5
2023-07-01 CVE-2023-28323 Deserialization of Untrusted Data vulnerability in Ivanti Endpoint Manager
A deserialization of untrusted data exists in EPM 2022 Su3 and all prior versions that allows an unauthenticated user to elevate rights.
network
low complexity
ivanti CWE-502
critical
9.8
2023-06-29 CVE-2023-31222 Deserialization of Untrusted Data vulnerability in Medtronic Paceart Optima 1.11
Deserialization of untrusted data in Microsoft Messaging Queuing Service in Medtronic's Paceart Optima versions 1.11 and earlier on Windows allows an unauthorized user to impact a healthcare delivery organization’s Paceart Optima system cardiac device causing data to be deleted, stolen, or modified, or the Paceart Optima system being used for further network penetration via network connectivity.
network
low complexity
medtronic CWE-502
8.8
2023-06-28 CVE-2023-21205 Deserialization of Untrusted Data vulnerability in Google Android 13.0
In startWpsPinDisplayInternal of sta_iface.cpp, there is a possible out of bounds read due to unsafe deserialization.
local
low complexity
google CWE-502
5.5
2023-06-28 CVE-2023-21206 Deserialization of Untrusted Data vulnerability in Google Android 13.0
In initiateVenueUrlAnqpQueryInternal of sta_iface.cpp, there is a possible out of bounds read due to unsafe deserialization.
local
low complexity
google CWE-502
4.4
2023-06-28 CVE-2023-21209 Deserialization of Untrusted Data vulnerability in Google Android 13.0
In multiple functions of sta_iface.cpp, there is a possible out of bounds read due to unsafe deserialization.
local
low complexity
google CWE-502
6.7
2023-06-23 CVE-2023-33299 Deserialization of Untrusted Data vulnerability in Fortinet Fortinac
A deserialization of untrusted data in Fortinet FortiNAC below 7.2.1, below 9.4.3, below 9.2.8 and all earlier versions of 8.x allows attacker to execute unauthorized code or commands via specifically crafted request on inter-server communication port.
network
low complexity
fortinet CWE-502
critical
9.8
2023-06-20 CVE-2023-26436 Deserialization of Untrusted Data vulnerability in Open-Xchange Appsuite Backend
Attackers with access to the "documentconverterws" API were able to inject serialized Java objects, that were not properly checked during deserialization.
low complexity
open-xchange CWE-502
8.8
2023-06-19 CVE-2023-35839 Deserialization of Untrusted Data vulnerability in Solon
A bypass in the component sofa-hessian of Solon before v2.3.3 allows attackers to execute arbitrary code via providing crafted payload.
network
low complexity
solon CWE-502
critical
9.8