Vulnerabilities > Deserialization of Untrusted Data
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2017-11-17 | CVE-2017-1000208 | Deserialization of Untrusted Data vulnerability in Swagger Swagger-Codegen and Swagger-Parser A vulnerability in Swagger-Parser's (version <= 1.0.30) yaml parsing functionality results in arbitrary code being executed when a maliciously crafted yaml Open-API specification is parsed. | 8.8 |
| 2017-11-17 | CVE-2017-1000195 | Deserialization of Untrusted Data vulnerability in Octobercms October October CMS build 412 is vulnerable to PHP object injection in asset move functionality resulting in ability to delete files limited by file permissions on the server. | 7.5 |
| 2017-11-15 | CVE-2017-12634 | Deserialization of Untrusted Data vulnerability in Apache Camel The camel-castor component in Apache Camel 2.x before 2.19.4 and 2.20.x before 2.20.1 is vulnerable to Java object de-serialisation vulnerability. | 9.8 |
| 2017-11-15 | CVE-2017-12633 | Deserialization of Untrusted Data vulnerability in Apache Camel The camel-hessian component in Apache Camel 2.x before 2.19.4 and 2.20.x before 2.20.1 is vulnerable to Java object de-serialisation vulnerability. | 9.8 |
| 2017-11-09 | CVE-2015-7501 | Deserialization of Untrusted Data vulnerability in Redhat products Red Hat JBoss A-MQ 6.x; BPM Suite (BPMS) 6.x; BRMS 6.x and 5.x; Data Grid (JDG) 6.x; Data Virtualization (JDV) 6.x and 5.x; Enterprise Application Platform 6.x, 5.x, and 4.3.x; Fuse 6.x; Fuse Service Works (FSW) 6.x; Operations Network (JBoss ON) 3.x; Portal 6.x; SOA Platform (SOA-P) 5.x; Web Server (JWS) 3.x; Red Hat OpenShift/xPAAS 3.x; and Red Hat Subscription Asset Manager 1.3 allow remote attackers to execute arbitrary commands via a crafted serialized Java object, related to the Apache Commons Collections (ACC) library. | 9.8 |
| 2017-11-03 | CVE-2017-1000148 | Deserialization of Untrusted Data vulnerability in Mahara Mahara 15.04 before 15.04.8 and 15.10 before 15.10.4 and 16.04 before 16.04.2 are vulnerable to PHP code execution as Mahara would pass portions of the XML through the PHP "unserialize()" function when importing a skin from an XML file. | 8.8 |
| 2017-10-27 | CVE-2016-5003 | Deserialization of Untrusted Data vulnerability in Apache Ws-Xmlrpc 3.1.3 The Apache XML-RPC (aka ws-xmlrpc) library 3.1.3, as used in Apache Archiva, allows remote attackers to execute arbitrary code via a crafted serialized Java object in an <ex:serializable> element. | 9.8 |
| 2017-10-23 | CVE-2017-12796 | Deserialization of Untrusted Data vulnerability in Openmrs The Reporting Compatibility Add On before 2.0.4 for OpenMRS, as distributed in OpenMRS Reference Application before 2.6.1, does not authenticate users when deserializing XML input into ReportSchema objects. | 9.8 |
| 2017-10-20 | CVE-2017-12628 | Deserialization of Untrusted Data vulnerability in Apache James Server 2.3.2/2.3.2.1/3.0.0 The JMX server embedded in Apache James, also used by the command line client is exposed to a java de-serialization issue, and thus can be used to execute arbitrary commands. | 7.8 |
| 2017-10-18 | CVE-2015-5164 | Deserialization of Untrusted Data vulnerability in Pulpproject Qpid The Qpid server on Red Hat Satellite 6 does not properly restrict message types, which allows remote authenticated users with administrative access on a managed content host to execute arbitrary code via a crafted message, related to a pickle processing problem in pulp. | 7.2 |