CWE-502

Deserialization of Untrusted Data

BaseDraftLikelihood: Medium

Description

The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.

Hierarchy (View 1000)

Parents

CWE-913

Children

none

Related attack patterns (CAPEC)

CAPEC-586

CVEs mapped to this weakness (971)

page 16 of 49

CVE	Sev	Risk	CVSS	EPSS	Published	Description
CVE-2023-51470	Cri	0.64	9.9	0.01	Dec 29, 2023	Deserialization of Untrusted Data vulnerability in Jacques Malgrange Rencontre – Dating Site.This issue affects Rencontre – Dating Site: from n/a through 3.11.1.
CVE-2023-51422	Cri	0.64	9.9	0.01	Dec 29, 2023	Deserialization of Untrusted Data vulnerability in Saleswonder Team Webinar Plugin: Create live/evergreen/automated/instant webinars, stream & Zoom Meetings \| WebinarIgnition.This issue affects Webinar Plugin: Create live/evergreen/automated/instant webinars, stream & Zoom Meetings \| WebinarIgnition: from n/a through 3.05.0.
CVE-2020-36727	Cri	0.64	9.8	0.01	Jun 7, 2023	The Newsletter Manager plugin for WordPress is vulnerable to insecure deserialization in versions up to, and including, 1.5.1. This is due to unsanitized input from the 'customFieldsDetails' parameter being passed through a deserialization function. This potentially makes it possible for unauthenticated attackers to inject a serialized PHP object.
CVE-2020-36726	Cri	0.64	9.8	0.01	Jun 7, 2023	The Ultimate Reviews plugin for WordPress is vulnerable to PHP Object Injection in versions up to, and including, 2.1.32 via deserialization of untrusted input in several vulnerable functions. This allows unauthenticated attackers to inject a PHP Object. No POP chain is present in the vulnerable plugin.
CVE-2020-36718	Cri	0.64	9.8	0.02	Jun 7, 2023	The GDPR CCPA Compliance Support plugin for WordPress is vulnerable to PHP Object Injection in versions up to, and including, 2.3 via deserialization of untrusted input "njt_gdpr_allow_permissions" value. This allows unauthenticated attackers to inject a PHP Object.
CVE-2014-9515	Cri	0.64	9.8	0.05	Dec 29, 2017	Dozer improperly uses a reflection-based approach to type conversion, which might allow remote attackers to execute arbitrary code via a crafted serialized object.
CVE-2017-8045	Cri	0.64	9.8	0.03	Nov 27, 2017	In Pivotal Spring AMQP versions prior to 1.7.4, 1.6.11, and 1.5.7, an org.springframework.amqp.core.Message may be unsafely deserialized when being converted into a string. A malicious payload could be crafted to exploit this and enable a remote code execution attack.
CVE-2017-12633	Cri	0.64	9.8	0.03	Nov 15, 2017	The camel-hessian component in Apache Camel 2.x before 2.19.4 and 2.20.x before 2.20.1 is vulnerable to Java object de-serialisation vulnerability. De-serializing untrusted data can lead to security flaws.
CVE-2017-12796	Cri	0.64	9.8	0.06	Oct 23, 2017	The Reporting Compatibility Add On before 2.0.4 for OpenMRS, as distributed in OpenMRS Reference Application before 2.6.1, does not authenticate users when deserializing XML input into ReportSchema objects. The result is that remote unauthenticated users are able to execute operating system commands by crafting malicious XML payloads, as demonstrated by a single admin/reports/reportSchemaXml.form request.
CVE-2016-8736	Cri	0.64	9.8	0.06	Oct 12, 2017	Apache OpenMeetings before 3.1.2 is vulnerable to Remote Code Execution via RMI deserialization attack.
CVE-2017-14035	Cri	0.64	9.8	0.01	Aug 30, 2017	CrushFTP 8.x before 8.2.0 has a serialization vulnerability.
CVE-2017-9785	Cri	0.64	9.8	0.02	Jul 20, 2017	Csrf.cs in NancyFX Nancy before 1.4.4 and 2.x before 2.0-dangermouse has Remote Code Execution via Deserialization of JSON data in a CSRF Cookie.
CVE-2017-9830	Cri	0.64	9.8	0.09	Jun 27, 2017	Remote Code Execution is possible in Code42 CrashPlan 5.4.x via the org.apache.commons.ssl.rmi.DateRMI Java class, because (upon instantiation) it creates an RMI server that listens on a TCP port and deserializes objects sent by TCP clients.
CVE-2017-9424	Cri	0.64	9.8	0.04	Jun 22, 2017	IdeaBlade Breeze Breeze.Server.NET before 1.6.5 allows remote attackers to execute arbitrary code, related to use of TypeNameHandling in JSON deserialization.
CVE-2016-7050	Cri	0.64	9.8	0.01	Jun 8, 2017	SerializableProvider in RESTEasy in Red Hat Enterprise Linux Desktop 7, Red Hat Enterprise Linux HPC Node 7, Red Hat Enterprise Linux Server 7, and Red Hat Enterprise Linux Workstation 7 allows remote attackers to execute arbitrary code.
CVE-2016-3690	Cri	0.64	9.8	0.02	Jun 8, 2017	The PooledInvokerServlet in JBoss EAP 4.x and 5.x allows remote attackers to execute arbitrary code via a crafted serialized payload.
CVE-2017-5878	Cri	0.64	9.8	0.03	Jun 8, 2017	The AMF unmarshallers in Red5 Media Server before 1.0.8 do not restrict the classes for which it performs deserialization, which allows remote attackers to execute arbitrary code via crafted serialized Java data.
CVE-2017-9363	Cri	0.64	9.8	0.04	Jun 2, 2017	Untrusted Java serialization in Soffid IAM console before 1.7.5 allows remote attackers to achieve arbitrary remote code execution via a crafted authentication request.
CVE-2016-0779	Cri	0.64	9.8	0.05	Apr 11, 2017	The EjbObjectInputStream class in Apache TomEE before 1.7.4 and 7.x before 7.0.0-M3 allows remote attackers to execute arbitrary code via a crafted serialized object.
CVE-2017-5983	Cri	0.64	9.8	0.06	Apr 10, 2017	The JIRA Workflow Designer Plugin in Atlassian JIRA Server before 6.3.0 improperly uses an XML parser and deserializer, which allows remote attackers to execute arbitrary code, read arbitrary files, or cause a denial of service via a crafted serialized Java object.

CVE-2023-51470CriDec 29, 2023
risk 0.64cvss 9.9epss 0.01
Deserialization of Untrusted Data vulnerability in Jacques Malgrange Rencontre – Dating Site.This issue affects Rencontre – Dating Site: from n/a through 3.11.1.
CVE-2023-51422CriDec 29, 2023
risk 0.64cvss 9.9epss 0.01
Deserialization of Untrusted Data vulnerability in Saleswonder Team Webinar Plugin: Create live/evergreen/automated/instant webinars, stream & Zoom Meetings | WebinarIgnition.This issue affects Webinar Plugin: Create live/evergreen/automated/instant webinars, stream & Zoom Meetings | WebinarIgnition: from n/a through 3.05.0.
CVE-2020-36727CriJun 7, 2023
risk 0.64cvss 9.8epss 0.01
The Newsletter Manager plugin for WordPress is vulnerable to insecure deserialization in versions up to, and including, 1.5.1. This is due to unsanitized input from the 'customFieldsDetails' parameter being passed through a deserialization function. This potentially makes it possible for unauthenticated attackers to inject a serialized PHP object.
CVE-2020-36726CriJun 7, 2023
risk 0.64cvss 9.8epss 0.01
The Ultimate Reviews plugin for WordPress is vulnerable to PHP Object Injection in versions up to, and including, 2.1.32 via deserialization of untrusted input in several vulnerable functions. This allows unauthenticated attackers to inject a PHP Object. No POP chain is present in the vulnerable plugin.
CVE-2020-36718CriJun 7, 2023
risk 0.64cvss 9.8epss 0.02
The GDPR CCPA Compliance Support plugin for WordPress is vulnerable to PHP Object Injection in versions up to, and including, 2.3 via deserialization of untrusted input "njt_gdpr_allow_permissions" value. This allows unauthenticated attackers to inject a PHP Object.
CVE-2014-9515CriDec 29, 2017
risk 0.64cvss 9.8epss 0.05
Dozer improperly uses a reflection-based approach to type conversion, which might allow remote attackers to execute arbitrary code via a crafted serialized object.
CVE-2017-8045CriNov 27, 2017
risk 0.64cvss 9.8epss 0.03
In Pivotal Spring AMQP versions prior to 1.7.4, 1.6.11, and 1.5.7, an org.springframework.amqp.core.Message may be unsafely deserialized when being converted into a string. A malicious payload could be crafted to exploit this and enable a remote code execution attack.
CVE-2017-12633CriNov 15, 2017
risk 0.64cvss 9.8epss 0.03
The camel-hessian component in Apache Camel 2.x before 2.19.4 and 2.20.x before 2.20.1 is vulnerable to Java object de-serialisation vulnerability. De-serializing untrusted data can lead to security flaws.
CVE-2017-12796CriOct 23, 2017
risk 0.64cvss 9.8epss 0.06
The Reporting Compatibility Add On before 2.0.4 for OpenMRS, as distributed in OpenMRS Reference Application before 2.6.1, does not authenticate users when deserializing XML input into ReportSchema objects. The result is that remote unauthenticated users are able to execute operating system commands by crafting malicious XML payloads, as demonstrated by a single admin/reports/reportSchemaXml.form request.
CVE-2016-8736CriOct 12, 2017
risk 0.64cvss 9.8epss 0.06
Apache OpenMeetings before 3.1.2 is vulnerable to Remote Code Execution via RMI deserialization attack.
CVE-2017-14035CriAug 30, 2017
risk 0.64cvss 9.8epss 0.01
CrushFTP 8.x before 8.2.0 has a serialization vulnerability.
CVE-2017-9785CriJul 20, 2017
risk 0.64cvss 9.8epss 0.02
Csrf.cs in NancyFX Nancy before 1.4.4 and 2.x before 2.0-dangermouse has Remote Code Execution via Deserialization of JSON data in a CSRF Cookie.
CVE-2017-9830CriJun 27, 2017
risk 0.64cvss 9.8epss 0.09
Remote Code Execution is possible in Code42 CrashPlan 5.4.x via the org.apache.commons.ssl.rmi.DateRMI Java class, because (upon instantiation) it creates an RMI server that listens on a TCP port and deserializes objects sent by TCP clients.
CVE-2017-9424CriJun 22, 2017
risk 0.64cvss 9.8epss 0.04
IdeaBlade Breeze Breeze.Server.NET before 1.6.5 allows remote attackers to execute arbitrary code, related to use of TypeNameHandling in JSON deserialization.
CVE-2016-7050CriJun 8, 2017
risk 0.64cvss 9.8epss 0.01
SerializableProvider in RESTEasy in Red Hat Enterprise Linux Desktop 7, Red Hat Enterprise Linux HPC Node 7, Red Hat Enterprise Linux Server 7, and Red Hat Enterprise Linux Workstation 7 allows remote attackers to execute arbitrary code.
CVE-2016-3690CriJun 8, 2017
risk 0.64cvss 9.8epss 0.02
The PooledInvokerServlet in JBoss EAP 4.x and 5.x allows remote attackers to execute arbitrary code via a crafted serialized payload.
CVE-2017-5878CriJun 8, 2017
risk 0.64cvss 9.8epss 0.03
The AMF unmarshallers in Red5 Media Server before 1.0.8 do not restrict the classes for which it performs deserialization, which allows remote attackers to execute arbitrary code via crafted serialized Java data.
CVE-2017-9363CriJun 2, 2017
risk 0.64cvss 9.8epss 0.04
Untrusted Java serialization in Soffid IAM console before 1.7.5 allows remote attackers to achieve arbitrary remote code execution via a crafted authentication request.
CVE-2016-0779CriApr 11, 2017
risk 0.64cvss 9.8epss 0.05
The EjbObjectInputStream class in Apache TomEE before 1.7.4 and 7.x before 7.0.0-M3 allows remote attackers to execute arbitrary code via a crafted serialized object.
CVE-2017-5983CriApr 10, 2017
risk 0.64cvss 9.8epss 0.06
The JIRA Workflow Designer Plugin in Atlassian JIRA Server before 6.3.0 improperly uses an XML parser and deserializer, which allows remote attackers to execute arbitrary code, read arbitrary files, or cause a denial of service via a crafted serialized Java object.