Vulnerabilities > Deserialization of Untrusted Data
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2019-05-22 | CVE-2016-10750 | Deserialization of Untrusted Data vulnerability in Hazelcast In Hazelcast before 3.11, the cluster join procedure is vulnerable to remote code execution via Java deserialization. | 8.1 |
| 2019-05-20 | CVE-2019-12241 | Deserialization of Untrusted Data vulnerability in Carts.Guru Carts Guru 1.4.5 The Carts Guru plugin 1.4.5 for WordPress allows Insecure Deserialization via a cartsguru-source cookie to classes/wc-cartsguru-event-handler.php. | 9.8 |
| 2019-05-20 | CVE-2019-12240 | Deserialization of Untrusted Data vulnerability in Virim Project Virim 0.4 The Virim plugin 0.4 for WordPress allows Insecure Deserialization via s_values, t_values, or c_values in graph.php. | 9.8 |
| 2019-05-17 | CVE-2019-12086 | Deserialization of Untrusted Data vulnerability in multiple products A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.x before 2.9.9. | 7.5 |
| 2019-05-17 | CVE-2019-4279 | Deserialization of Untrusted Data vulnerability in IBM Websphere Application Server IBM WebSphere Application Server 8.5 and 9.0 could allow a remote attacker to execute arbitrary code on the system with a specially-crafted sequence of serialized objects from untrusted sources. | 9.8 |
| 2019-05-16 | CVE-2019-10912 | Deserialization of Untrusted Data vulnerability in Sensiolabs Symfony In Symfony before 2.8.50, 3.x before 3.4.26, 4.x before 4.1.12, and 4.2.x before 4.2.7, it is possible to cache objects that may contain bad user input. | 7.1 |
| 2019-05-09 | CVE-2019-11831 | Deserialization of Untrusted Data vulnerability in multiple products The PharStreamWrapper (aka phar-stream-wrapper) package 2.x before 2.1.1 and 3.x before 3.1.1 for TYPO3 does not prevent directory traversal, which allows attackers to bypass a deserialization protection mechanism, as demonstrated by a phar:///path/bad.phar/../good.phar URL. | 9.8 |
| 2019-05-09 | CVE-2019-11830 | Deserialization of Untrusted Data vulnerability in Typo3 Pharstreamwrapper PharMetaDataInterceptor in the PharStreamWrapper (aka phar-stream-wrapper) package 2.x before 2.1.1 and 3.x before 3.1.1 for TYPO3 mishandles Phar stub parsing, which allows attackers to bypass a deserialization protection mechanism. | 9.8 |
| 2019-05-08 | CVE-2019-11458 | Deserialization of Untrusted Data vulnerability in Cakephp 3.7.6 An issue was discovered in SmtpTransport in CakePHP 3.7.6. | 7.5 |
| 2019-05-06 | CVE-2019-5434 | Deserialization of Untrusted Data vulnerability in Revive-Sas Revive Adserver An attacker could send a specifically crafted payload to the XML-RPC invocation script and trigger the unserialize() call on the "what" parameter in the "openads.spc" RPC method. | 9.8 |