Vulnerabilities > Deserialization of Untrusted Data
DATE | CVE | VULNERABILITY TITLE | RISK |
---|---|---|---|
2018-12-20 | CVE-2018-1000827 | Deserialization of Untrusted Data vulnerability in Ubilling 0.9.0/0.9.1/0.9.2 Ubilling version <= 0.9.2 contains a Other/Unknown vulnerability in user-controlled parameter that can result in Disclosure of confidential data, denial of service, SSRF, remote code execution. | 9.8 |
2018-12-20 | CVE-2018-1000824 | Deserialization of Untrusted Data vulnerability in Megamek MegaMek version < v0.45.1 contains a Other/Unknown vulnerability in Object Stream Connection that can result in Disclosure of confidential data, denial of service, SSRF, remote code execution. | 9.8 |
2018-12-14 | CVE-2018-20148 | Deserialization of Untrusted Data vulnerability in multiple products In WordPress before 4.9.9 and 5.x before 5.0.1, contributors could conduct PHP object injection attacks via crafted metadata in a wp.getMediaItem XMLRPC call. | 9.8 |
2018-12-11 | CVE-2018-1904 | Deserialization of Untrusted Data vulnerability in IBM Websphere Application Server IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 could allow remote attackers to execute arbitrary Java code through an administrative client class with a serialized object from untrusted sources. | 9.8 |
2018-12-10 | CVE-2018-1000861 | Deserialization of Untrusted Data vulnerability in multiple products A code execution vulnerability exists in the Stapler web framework used by Jenkins 2.153 and earlier, LTS 2.138.3 and earlier in stapler/core/src/main/java/org/kohsuke/stapler/MetaClass.java that allows attackers to invoke some methods on Java objects by accessing crafted URLs that were not intended to be invoked this way. | 9.8 |
2018-11-30 | CVE-2018-16476 | Deserialization of Untrusted Data vulnerability in multiple products A Broken Access Control vulnerability in Active Job versions >= 4.2.0 allows an attacker to craft user input which can cause Active Job to deserialize it using GlobalId and give them access to information that they should not have. | 7.5 |
2018-11-30 | CVE-2018-18987 | Deserialization of Untrusted Data vulnerability in Invt Vt-Designer 2.1.7.31 VT-Designer Version 2.1.7.31 is vulnerable by the program populating objects with user supplied input via a file without first checking for validity, allowing attacker supplied input to be written to known memory locations. | 8.8 |
2018-11-23 | CVE-2018-19499 | Deserialization of Untrusted Data vulnerability in Vanillaforums Vanilla Vanilla before 2.5.5 and 2.6.x before 2.6.2 allows Remote Code Execution because authenticated administrators have a reachable call to unserialize in the Gdn_Format class. | 7.2 |
2018-11-20 | CVE-2018-19396 | Deserialization of Untrusted Data vulnerability in PHP ext/standard/var_unserializer.c in PHP 5.x through 7.1.24 allows attackers to cause a denial of service (application crash) via an unserialize call for the com, dotnet, or variant class. | 7.5 |
2018-11-08 | CVE-2018-15381 | Deserialization of Untrusted Data vulnerability in Cisco Unity Express A Java deserialization vulnerability in Cisco Unity Express (CUE) could allow an unauthenticated, remote attacker to execute arbitrary shell commands with the privileges of the root user. | 9.8 |