Vulnerabilities > Deserialization of Untrusted Data
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2023-10-19 | CVE-2023-35186 | Deserialization of Untrusted Data vulnerability in Solarwinds Access Rights Manager The SolarWinds Access Rights Manager was susceptible to Remote Code Execution Vulnerability. | 8.8 |
| 2023-10-19 | CVE-2023-46227 | Deserialization of Untrusted Data vulnerability in Apache Inlong Deserialization of Untrusted Data Vulnerability in Apache Software Foundation Apache InLong. This issue affects Apache InLong: from 1.4.0 through 1.8.0, the attacker can use \t to bypass. Users are advised to upgrade to Apache InLong's 1.9.0 or cherry-pick [1] to solve it. [1] https://github.com/apache/inlong/pull/8814 | 7.5 |
| 2023-10-19 | CVE-2023-34050 | Deserialization of Untrusted Data vulnerability in VMWare Spring Advanced Message Queuing Protocol In spring AMQP versions 1.0.0 to 2.4.16 and 3.0.0 to 3.0.9 , allowed list patterns for deserializable class names were added to Spring AMQP, allowing users to lock down deserialization of data in messages from untrusted sources; however by default, when no allowed list was provided, all classes could be deserialized. Specifically, an application is vulnerable if * the SimpleMessageConverter or SerializerMessageConverter is used * the user does not configure allowed list patterns * untrusted message originators gain permissions to write messages to the RabbitMQ broker to send malicious content | 4.3 |
| 2023-10-18 | CVE-2023-45146 | Deserialization of Untrusted Data vulnerability in Xxl-Rpc Project Xxl-Rpc XXL-RPC is a high performance, distributed RPC framework. | 10.0 |
| 2023-10-18 | CVE-2023-35084 | Deserialization of Untrusted Data vulnerability in Ivanti Endpoint Manager Unsafe Deserialization of User Input could lead to Execution of Unauthorized Operations in Ivanti Endpoint Manager 2022 su3 and all previous versions, which could allow an attacker to execute commands remotely. | 9.8 |
| 2023-10-16 | CVE-2023-4971 | Deserialization of Untrusted Data vulnerability in Weavertheme Weaver Xtreme Theme Support The Weaver Xtreme Theme Support WordPress plugin before 6.3.1 unserialises the content of an imported file, which could lead to PHP object injections issues when a high privilege user import a malicious file and a suitable gadget chain is present on the blog. | 7.2 |
| 2023-10-11 | CVE-2023-23930 | Deserialization of Untrusted Data vulnerability in Vantage6 vantage6 is privacy preserving federated learning infrastructure. | 7.2 |
| 2023-10-09 | CVE-2023-44392 | Deserialization of Untrusted Data vulnerability in Garden Garden provides automation for Kubernetes development and testing. | 9.0 |
| 2023-10-06 | CVE-2023-26153 | Deserialization of Untrusted Data vulnerability in Geokit Geokit-Rails Versions of the package geokit-rails before 2.5.0 are vulnerable to Command Injection due to unsafe deserialisation of YAML within the 'geo_location' cookie. | 9.8 |
| 2023-10-05 | CVE-2023-43981 | Deserialization of Untrusted Data vulnerability in Presto-Changeo Test Site Creator 1.1.1 Presto Changeo testsitecreator up to 1.1.1 was discovered to contain a deserialization vulnerability via the component delete_excluded_folder.php. | 9.8 |