Vulnerabilities > Deserialization of Untrusted Data

DATE CVE VULNERABILITY TITLE RISK
2020-12-31 CVE-2020-26165 Deserialization of Untrusted Data vulnerability in Qdpm 8.3/9.0/9.1
qdPM through 9.1 allows PHP Object Injection via timeReportActions::executeExport in core/apps/qdPM/modules/timeReport/actions/actions.class.php because unserialize is used.
network
low complexity
qdpm CWE-502
8.8
8.8
2020-12-31 CVE-2019-7725 Deserialization of Untrusted Data vulnerability in Nukeviet
includes/core/is_user.php in NukeViet before 4.3.04 deserializes the untrusted nvloginhash cookie (i.e., the code relies on PHP's serialization format when JSON can be used to eliminate the risk).
network
low complexity
nukeviet CWE-502
critical
 9.8
9.8
2020-12-27 CVE-2020-35728 Deserialization of Untrusted Data vulnerability in multiple products
FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to com.oracle.wls.shaded.org.apache.xalan.lib.sql.JNDIConnectionPool (aka embedded Xalan in org.glassfish.web/javax.servlet.jsp.jstl).
network
high complexity
fasterxml debian netapp oracle CWE-502
8.1
8.1
2020-12-17 CVE-2020-35491 Deserialization of Untrusted Data vulnerability in multiple products
FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.commons.dbcp2.datasources.SharedPoolDataSource.
network
high complexity
fasterxml netapp debian oracle CWE-502
8.1
8.1
2020-12-17 CVE-2020-35490 Deserialization of Untrusted Data vulnerability in multiple products
FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.commons.dbcp2.datasources.PerUserPoolDataSource.
network
high complexity
fasterxml netapp debian oracle CWE-502
8.1
8.1
2020-12-17 CVE-2020-22083 Deserialization of Untrusted Data vulnerability in Jsonpickle Project Jsonpickle
jsonpickle through 1.4.1 allows remote code execution during deserialization of a malicious payload through the decode() function.
network
low complexity
jsonpickle-project CWE-502
critical
 9.8
9.8
2020-12-14 CVE-2020-20136 Deserialization of Untrusted Data vulnerability in Quantconnect Lean 2.3.0.0/2.4.0.1
QuantConnect Lean versions from 2.3.0.0 to 2.4.0.1 are affected by an insecure deserialization vulnerability due to insecure configuration of TypeNameHandling property in Json.NET library.
network
low complexity
quantconnect CWE-502
critical
 9.8
9.8
2020-12-11 CVE-2020-9301 Deserialization of Untrusted Data vulnerability in Linuxfoundation Spinnaker
Nolan Ray from Apple Information Security identified a security vulnerability in Spinnaker, all versions prior to version 1.23.4, 1.22.4 or 1.21.5.
network
low complexity
linuxfoundation CWE-502
8.8
8.8
2020-11-19 CVE-2020-28948 Deserialization of Untrusted Data vulnerability in multiple products
Archive_Tar through 1.4.10 allows an unserialization attack because phar: is blocked but PHAR: is not blocked.
local
low complexity
php debian fedoraproject drupal CWE-502
7.8
7.8
2020-11-17 CVE-2020-27131 Deserialization of Untrusted Data vulnerability in Cisco Security Manager
Multiple vulnerabilities in the Java deserialization function that is used by Cisco Security Manager could allow an unauthenticated, remote attacker to execute arbitrary commands on an affected device.
network
low complexity
cisco CWE-502
critical
 9.8
9.8