Vulnerabilities > Deserialization of Untrusted Data

DATE CVE VULNERABILITY TITLE RISK
2017-09-28 CVE-2017-10932 Deserialization of Untrusted Data vulnerability in ZTE products
All versions prior to V12.17.20 of the ZTE Microwave NR8000 series products - NR8120, NR8120A, NR8120, NR8150, NR8250, NR8000 TR and NR8950 are the applications of C/S architecture using the Java RMI service in which the servers use the Apache Commons Collections (ACC) library that may result in Java deserialization vulnerabilities.
network
low complexity
zte CWE-502
critical
9.8
2017-09-19 CVE-2017-14141 Deserialization of Untrusted Data vulnerability in Kaltura Server
The wiki_decode Developer System Helper function in the admin panel in Kaltura before 13.2.0 allows remote attackers to conduct PHP object injection attacks and execute arbitrary PHP code via a crafted serialized object.
network
low complexity
kaltura CWE-502
7.2
2017-09-15 CVE-2017-9805 Deserialization of Untrusted Data vulnerability in multiple products
The REST Plugin in Apache Struts 2.1.1 through 2.3.x before 2.3.34 and 2.5.x before 2.5.13 uses an XStreamHandler with an instance of XStream for deserialization without any type filtering, which can lead to Remote Code Execution when deserializing XML payloads.
network
high complexity
apache cisco netapp CWE-502
8.1
2017-09-13 CVE-2017-12612 Deserialization of Untrusted Data vulnerability in Apache Spark
In Apache Spark 1.6.0 until 2.1.1, the launcher API performs unsafe deserialization of data received by its socket.
local
low complexity
apache CWE-502
7.8
2017-09-13 CVE-2016-8744 Deserialization of Untrusted Data vulnerability in Apache Brooklyn
Apache Brooklyn uses the SnakeYAML library for parsing YAML inputs.
network
low complexity
apache CWE-502
8.8
2017-08-30 CVE-2017-14035 Deserialization of Untrusted Data vulnerability in Crushftp
CrushFTP 8.x before 8.2.0 has a serialization vulnerability.
network
low complexity
crushftp CWE-502
critical
9.8
2017-08-08 CVE-2017-11153 Deserialization of Untrusted Data vulnerability in Synology Photo Station
Deserialization vulnerability in synophoto_csPhotoMisc.php in Synology Photo Station before 6.7.3-3432 and 6.3-2967 allows remote attackers to gain administrator privileges via a crafted serialized payload.
network
low complexity
synology CWE-502
critical
9.8
2017-07-20 CVE-2017-9785 Deserialization of Untrusted Data vulnerability in Nancyfx Nancy
Csrf.cs in NancyFX Nancy before 1.4.4 and 2.x before 2.0-dangermouse has Remote Code Execution via Deserialization of JSON data in a CSRF Cookie.
network
low complexity
nancyfx CWE-502
critical
9.8
2017-07-17 CVE-2017-1000053 Deserialization of Untrusted Data vulnerability in Plug Project Plug
Elixir Plug before v1.0.4, v1.1.7, v1.2.3 and v1.3.2 is vulnerable to arbitrary code execution in the deserialization functions of Plug.Session.
network
high complexity
plug-project CWE-502
8.1
2017-07-17 CVE-2017-1000034 Deserialization of Untrusted Data vulnerability in Akka
Akka versions <=2.4.16 and 2.5-M1 are vulnerable to a java deserialization attack in its Remoting component resulting in remote code execution in the context of the ActorSystem.
network
high complexity
akka CWE-502
8.1