VYPR

CWE-502

Deserialization of Untrusted Data

BaseDraftLikelihood: Medium

Description

The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.

Hierarchy (View 1000)

Parents

Children

none

Related attack patterns (CAPEC)

CAPEC-586

CVEs mapped to this weakness (971)

page 14 of 49
  • CVE-2024-49222CriJan 7, 2025
    risk 0.64cvss 9.8epss 0.01

    Deserialization of Untrusted Data vulnerability in AmentoTech Private Limited WPGuppy wpguppy-lite allows Object Injection.This issue affects WPGuppy: from n/a through <= 1.1.0.

  • CVE-2024-54367CriDec 16, 2024
    risk 0.64cvss 9.8epss 0.01

    Deserialization of Untrusted Data vulnerability in Ultimate Member ForumWP forumwp allows Object Injection.This issue affects ForumWP: from n/a through <= 2.1.0.

  • CVE-2024-54273CriDec 13, 2024
    risk 0.64cvss 9.8epss 0.01

    Deserialization of Untrusted Data vulnerability in PickPlugins Mail Picker mail-picker allows Object Injection.This issue affects Mail Picker: from n/a through <= 1.0.14.

  • CVE-2024-51363CriDec 3, 2024
    risk 0.64cvss 9.8epss 0.00

    Insecure deserialization in Hodoku v2.3.0 to v2.3.2 allows attackers to execute arbitrary code.

  • CVE-2024-9511CriNov 23, 2024
    risk 0.64cvss 9.8epss 0.03

    The FluentSMTP – WP SMTP Plugin with Amazon SES, SendGrid, MailGun, Postmark, Google and Any SMTP Provider plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 2.2.82 via deserialization of untrusted input in the 'formatResult' function. This makes it possible for unauthenticated attackers to inject a PHP Object. No known POP chain is present in the vulnerable software. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code. The vulnerability was partially patched in version 2.2.82.

  • CVE-2024-52443CriNov 20, 2024
    risk 0.64cvss 9.8epss 0.01

    Deserialization of Untrusted Data vulnerability in masikonis Geolocator geolocator allows Object Injection.This issue affects Geolocator: from n/a through <= 1.1.

  • CVE-2024-52440CriNov 20, 2024
    risk 0.64cvss 9.8epss 0.01

    Deserialization of Untrusted Data vulnerability in xpresslane Xpresslane Fast Checkout xpresslane-integration-for-woocommerce allows Object Injection.This issue affects Xpresslane Fast Checkout: from n/a through <= 1.0.0.

  • CVE-2024-52439CriNov 20, 2024
    risk 0.64cvss 9.8epss 0.01

    Deserialization of Untrusted Data vulnerability in Mark O'Donnell Team Rosters team-rosters allows Object Injection.This issue affects Team Rosters: from n/a through <= 4.8.2.

  • CVE-2024-52432CriNov 18, 2024
    risk 0.64cvss 9.8epss 0.01

    Deserialization of Untrusted Data vulnerability in NIX Solutions Ltd NIX Anti-Spam Light nix-anti-spam-light allows Object Injection.This issue affects NIX Anti-Spam Light: from n/a through <= 0.0.4.

  • CVE-2024-52414CriNov 16, 2024
    risk 0.64cvss 9.8epss 0.01

    Deserialization of Untrusted Data vulnerability in Anthony Carbon WDES Responsive Mobile Menu wdes-responsive-mobile-menu allows Object Injection.This issue affects WDES Responsive Mobile Menu: from n/a through <= 5.3.18.

  • CVE-2024-52413CriNov 16, 2024
    risk 0.64cvss 9.8epss 0.04

    Deserialization of Untrusted Data vulnerability in dmcwebzone Airin Blog airin-blog allows Object Injection.This issue affects Airin Blog: from n/a through <= 1.6.1.

  • CVE-2024-52412CriNov 16, 2024
    risk 0.64cvss 9.8epss 0.01

    Deserialization of Untrusted Data vulnerability in Stephen Cui Xin allows Object Injection.This issue affects Xin: from n/a through 1.0.8.1.

  • CVE-2024-52411CriNov 16, 2024
    risk 0.64cvss 9.8epss 0.01

    Deserialization of Untrusted Data vulnerability in flowcraft Advanced Personalization personalization-by-flowcraft allows Object Injection.This issue affects Advanced Personalization: from n/a through <= 1.1.2.

  • CVE-2024-52410CriNov 16, 2024
    risk 0.64cvss 9.8epss 0.01

    Deserialization of Untrusted Data vulnerability in Phoenixheart Referrer Detector referrer-detector allows Object Injection.This issue affects Referrer Detector: from n/a through <= 4.2.1.0.

  • CVE-2024-52409CriNov 16, 2024
    risk 0.64cvss 9.8epss 0.01

    Deserialization of Untrusted Data vulnerability in Phoenixheart AJAX Random Posts ajax-random-posts allows Object Injection.This issue affects AJAX Random Posts: from n/a through <= 0.3.3.

  • CVE-2024-10456CriOct 30, 2024
    risk 0.64cvss 9.8epss 0.02

    Delta Electronics InfraSuite Device Master versions prior to 1.0.12 are affected by a deserialization vulnerability that targets the Device-Gateway, which could allow deserialization of arbitrary .NET objects prior to authentication.

  • CVE-2024-48206CriOct 29, 2024
    risk 0.64cvss 9.8epss 0.00

    A Deserialization of Untrusted Data vulnerability in chainer v7.8.1.post1 leads to execution of arbitrary code.

  • CVE-2024-49625CriOct 20, 2024
    risk 0.64cvss 9.8epss 0.01

    Deserialization of Untrusted Data vulnerability in sphoid SiteBuilder Dynamic Components sitebuilder-dynamic-components allows Object Injection.This issue affects SiteBuilder Dynamic Components: from n/a through <= 1.0.

  • CVE-2024-49624CriOct 20, 2024
    risk 0.64cvss 9.8epss 0.01

    Deserialization of Untrusted Data vulnerability in smartdevth Advanced Advertising System advanced-advertising-system allows Object Injection.This issue affects Advanced Advertising System: from n/a through <= 1.3.1.

  • CVE-2024-49332CriOct 20, 2024
    risk 0.64cvss 9.8epss 0.01

    Deserialization of Untrusted Data vulnerability in giveawayboost Giveaway Boost giveaway-boost allows Object Injection.This issue affects Giveaway Boost: from n/a through <= 2.1.4.