Vulnerabilities > Deserialization of Untrusted Data

DATE CVE VULNERABILITY TITLE RISK
2017-11-03 CVE-2017-1000148 Deserialization of Untrusted Data vulnerability in Mahara
Mahara 15.04 before 15.04.8 and 15.10 before 15.10.4 and 16.04 before 16.04.2 are vulnerable to PHP code execution as Mahara would pass portions of the XML through the PHP "unserialize()" function when importing a skin from an XML file.
network
low complexity
mahara CWE-502
8.8
2017-10-27 CVE-2016-5003 Deserialization of Untrusted Data vulnerability in Apache Ws-Xmlrpc 3.1.3
The Apache XML-RPC (aka ws-xmlrpc) library 3.1.3, as used in Apache Archiva, allows remote attackers to execute arbitrary code via a crafted serialized Java object in an <ex:serializable> element.
network
low complexity
apache CWE-502
critical
9.8
2017-10-23 CVE-2017-12796 Deserialization of Untrusted Data vulnerability in Openmrs
The Reporting Compatibility Add On before 2.0.4 for OpenMRS, as distributed in OpenMRS Reference Application before 2.6.1, does not authenticate users when deserializing XML input into ReportSchema objects.
network
low complexity
openmrs CWE-502
critical
9.8
2017-10-20 CVE-2017-12628 Deserialization of Untrusted Data vulnerability in Apache James Server 2.3.2/2.3.2.1/3.0.0
The JMX server embedded in Apache James, also used by the command line client is exposed to a java de-serialization issue, and thus can be used to execute arbitrary commands.
local
low complexity
apache CWE-502
7.8
2017-10-18 CVE-2015-5164 Deserialization of Untrusted Data vulnerability in Pulpproject Qpid
The Qpid server on Red Hat Satellite 6 does not properly restrict message types, which allows remote authenticated users with administrative access on a managed content host to execute arbitrary code via a crafted message, related to a pickle processing problem in pulp.
network
low complexity
pulpproject CWE-502
7.2
2017-10-12 CVE-2016-8736 Deserialization of Untrusted Data vulnerability in Apache Openmeetings
Apache OpenMeetings before 3.1.2 is vulnerable to Remote Code Execution via RMI deserialization attack.
network
low complexity
apache CWE-502
critical
9.8
2017-10-11 CVE-2017-0903 Deserialization of Untrusted Data vulnerability in multiple products
RubyGems versions between 2.0.0 and 2.6.13 are vulnerable to a possible remote code execution vulnerability.
network
low complexity
rubygems debian canonical redhat CWE-502
critical
9.8
2017-10-04 CVE-2017-12149 Deserialization of Untrusted Data vulnerability in Redhat Jboss Enterprise Application Platform
In Jboss Application Server as shipped with Red Hat Enterprise Application Platform 5.2, it was found that the doFilter method in the ReadOnlyAccessFilter of the HTTP Invoker does not restrict classes for which it performs deserialization and thus allowing an attacker to execute arbitrary code via crafted serialized data.
network
low complexity
redhat CWE-502
critical
9.8
2017-10-04 CVE-2017-0806 Deserialization of Untrusted Data vulnerability in Google Android
An elevation of privilege vulnerability in the Android framework (gatekeeperresponse).
local
low complexity
google CWE-502
7.8
2017-09-30 CVE-2017-14702 Deserialization of Untrusted Data vulnerability in Branaghgroup ERS Data System 1.8.1.0
ERS Data System 1.8.1.0 allows remote attackers to execute arbitrary code, related to "com.branaghgroup.ecers.update.UpdateRequest" object deserialization.
network
low complexity
branaghgroup CWE-502
critical
9.8