Vulnerabilities > Deserialization of Untrusted Data
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2017-10-04 | CVE-2017-12149 | Deserialization of Untrusted Data vulnerability in Redhat Jboss Enterprise Application Platform In Jboss Application Server as shipped with Red Hat Enterprise Application Platform 5.2, it was found that the doFilter method in the ReadOnlyAccessFilter of the HTTP Invoker does not restrict classes for which it performs deserialization and thus allowing an attacker to execute arbitrary code via crafted serialized data. | 9.8 |
| 2017-10-04 | CVE-2017-0806 | Deserialization of Untrusted Data vulnerability in Google Android An elevation of privilege vulnerability in the Android framework (gatekeeperresponse). | 7.8 |
| 2017-09-30 | CVE-2017-14702 | Deserialization of Untrusted Data vulnerability in Branaghgroup ERS Data System 1.8.1.0 ERS Data System 1.8.1.0 allows remote attackers to execute arbitrary code, related to "com.branaghgroup.ecers.update.UpdateRequest" object deserialization. | 9.8 |
| 2017-09-28 | CVE-2017-10932 | Deserialization of Untrusted Data vulnerability in ZTE products All versions prior to V12.17.20 of the ZTE Microwave NR8000 series products - NR8120, NR8120A, NR8120, NR8150, NR8250, NR8000 TR and NR8950 are the applications of C/S architecture using the Java RMI service in which the servers use the Apache Commons Collections (ACC) library that may result in Java deserialization vulnerabilities. | 9.8 |
| 2017-09-19 | CVE-2017-14141 | Deserialization of Untrusted Data vulnerability in Kaltura Server The wiki_decode Developer System Helper function in the admin panel in Kaltura before 13.2.0 allows remote attackers to conduct PHP object injection attacks and execute arbitrary PHP code via a crafted serialized object. | 7.2 |
| 2017-09-15 | CVE-2017-9805 | Deserialization of Untrusted Data vulnerability in multiple products The REST Plugin in Apache Struts 2.1.1 through 2.3.x before 2.3.34 and 2.5.x before 2.5.13 uses an XStreamHandler with an instance of XStream for deserialization without any type filtering, which can lead to Remote Code Execution when deserializing XML payloads. | 8.1 |
| 2017-09-13 | CVE-2017-12612 | Deserialization of Untrusted Data vulnerability in Apache Spark In Apache Spark 1.6.0 until 2.1.1, the launcher API performs unsafe deserialization of data received by its socket. | 7.8 |
| 2017-09-13 | CVE-2016-8744 | Deserialization of Untrusted Data vulnerability in Apache Brooklyn Apache Brooklyn uses the SnakeYAML library for parsing YAML inputs. | 8.8 |
| 2017-08-30 | CVE-2017-14035 | Deserialization of Untrusted Data vulnerability in Crushftp CrushFTP 8.x before 8.2.0 has a serialization vulnerability. | 9.8 |
| 2017-08-08 | CVE-2017-11153 | Deserialization of Untrusted Data vulnerability in Synology Photo Station Deserialization vulnerability in synophoto_csPhotoMisc.php in Synology Photo Station before 6.7.3-3432 and 6.3-2967 allows remote attackers to gain administrator privileges via a crafted serialized payload. | 9.8 |