Vulnerabilities > Deserialization of Untrusted Data

DATE CVE VULNERABILITY TITLE RISK
2018-12-20 CVE-2018-1000827 Deserialization of Untrusted Data vulnerability in Ubilling 0.9.0/0.9.1/0.9.2
Ubilling version <= 0.9.2 contains a Other/Unknown vulnerability in user-controlled parameter that can result in Disclosure of confidential data, denial of service, SSRF, remote code execution.
network
low complexity
ubilling CWE-502
critical
9.8
2018-12-20 CVE-2018-1000824 Deserialization of Untrusted Data vulnerability in Megamek
MegaMek version < v0.45.1 contains a Other/Unknown vulnerability in Object Stream Connection that can result in Disclosure of confidential data, denial of service, SSRF, remote code execution.
network
low complexity
megamek CWE-502
critical
9.8
2018-12-14 CVE-2018-20148 Deserialization of Untrusted Data vulnerability in multiple products
In WordPress before 4.9.9 and 5.x before 5.0.1, contributors could conduct PHP object injection attacks via crafted metadata in a wp.getMediaItem XMLRPC call.
network
low complexity
wordpress debian CWE-502
critical
9.8
2018-12-11 CVE-2018-1904 Deserialization of Untrusted Data vulnerability in IBM Websphere Application Server
IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 could allow remote attackers to execute arbitrary Java code through an administrative client class with a serialized object from untrusted sources.
network
low complexity
ibm CWE-502
critical
9.8
2018-12-10 CVE-2018-1000861 Deserialization of Untrusted Data vulnerability in multiple products
A code execution vulnerability exists in the Stapler web framework used by Jenkins 2.153 and earlier, LTS 2.138.3 and earlier in stapler/core/src/main/java/org/kohsuke/stapler/MetaClass.java that allows attackers to invoke some methods on Java objects by accessing crafted URLs that were not intended to be invoked this way.
network
low complexity
jenkins redhat CWE-502
critical
9.8
2018-11-30 CVE-2018-16476 Deserialization of Untrusted Data vulnerability in multiple products
A Broken Access Control vulnerability in Active Job versions >= 4.2.0 allows an attacker to craft user input which can cause Active Job to deserialize it using GlobalId and give them access to information that they should not have.
network
low complexity
rubyonrails redhat CWE-502
7.5
2018-11-30 CVE-2018-18987 Deserialization of Untrusted Data vulnerability in Invt Vt-Designer 2.1.7.31
VT-Designer Version 2.1.7.31 is vulnerable by the program populating objects with user supplied input via a file without first checking for validity, allowing attacker supplied input to be written to known memory locations.
network
low complexity
invt CWE-502
8.8
2018-11-23 CVE-2018-19499 Deserialization of Untrusted Data vulnerability in Vanillaforums Vanilla
Vanilla before 2.5.5 and 2.6.x before 2.6.2 allows Remote Code Execution because authenticated administrators have a reachable call to unserialize in the Gdn_Format class.
network
low complexity
vanillaforums CWE-502
7.2
2018-11-20 CVE-2018-19396 Deserialization of Untrusted Data vulnerability in PHP
ext/standard/var_unserializer.c in PHP 5.x through 7.1.24 allows attackers to cause a denial of service (application crash) via an unserialize call for the com, dotnet, or variant class.
network
low complexity
php CWE-502
7.5
2018-11-08 CVE-2018-15381 Deserialization of Untrusted Data vulnerability in Cisco Unity Express
A Java deserialization vulnerability in Cisco Unity Express (CUE) could allow an unauthenticated, remote attacker to execute arbitrary shell commands with the privileges of the root user.
network
low complexity
cisco CWE-502
critical
9.8