VYPR

CWE-502

Deserialization of Untrusted Data

BaseDraftLikelihood: Medium

Description

The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.

Hierarchy (View 1000)

Parents

Children

none

Related attack patterns (CAPEC)

CAPEC-586

CVEs mapped to this weakness (1,721)

page 17 of 87
  • CVE-2023-51470CriDec 29, 2023
    risk 0.64cvss 9.9epss 0.01

    Deserialization of Untrusted Data vulnerability in Jacques Malgrange Rencontre – Dating Site.This issue affects Rencontre – Dating Site: from n/a through 3.11.1.

  • CVE-2023-51422CriDec 29, 2023
    risk 0.64cvss 9.9epss 0.01

    Deserialization of Untrusted Data vulnerability in Saleswonder Team Webinar Plugin: Create live/evergreen/automated/instant webinars, stream & Zoom Meetings | WebinarIgnition.This issue affects Webinar Plugin: Create live/evergreen/automated/instant webinars, stream & Zoom…

  • CVE-2020-36727CriJun 7, 2023
    risk 0.64cvss 9.8epss 0.02

    The Newsletter Manager plugin for WordPress is vulnerable to insecure deserialization in versions up to, and including, 1.5.1. This is due to unsanitized input from the 'customFieldsDetails' parameter being passed through a deserialization function. This potentially makes it…

  • CVE-2020-36726CriJun 7, 2023
    risk 0.64cvss 9.8epss 0.02

    The Ultimate Reviews plugin for WordPress is vulnerable to PHP Object Injection in versions up to, and including, 2.1.32 via deserialization of untrusted input in several vulnerable functions. This allows unauthenticated attackers to inject a PHP Object. No POP chain is present…

  • CVE-2018-3972CriSep 26, 2018
    risk 0.64cvss 9.8epss 0.04

    An exploitable code execution vulnerability exists in the Levin deserialization functionality of the Epee library, as used in Monero 'Lithium Luna' (v0.12.2.0-master-ffab6700) and other cryptocurrencies. A specially crafted network packet can cause a logic flaw, resulting in…

  • CVE-2018-1567CriSep 7, 2018
    risk 0.64cvss 9.8epss 0.04

    IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 could allow remote attackers to execute arbitrary Java code through the SOAP connector with a serialized object from untrusted sources. IBM X-Force ID: 143024.

  • CVE-2018-1000641CriAug 20, 2018
    risk 0.64cvss 9.8epss 0.02

    YesWiki version <= cercopitheque beta 1 contains a PHP Object Injection vulnerability in Unserialising user entered parameter in i18n.inc.php that can result in execution of code, disclosure of information.

  • CVE-2018-3784CriAug 17, 2018
    risk 0.64cvss 9.8epss 0.03

    A code injection in cryo 0.0.6 allows an attacker to arbitrarily execute code due to insecure implementation of deserialization.

  • CVE-2017-10934CriJul 25, 2018
    risk 0.64cvss 9.8epss 0.03

    All versions prior to V5.09.02.02T4 of the ZTE ZXIPTV-EPG product use the Java RMI service in which the servers use the Apache Commons Collections (ACC) library that may result in Java deserialization vulnerabilities. An unauthenticated remote attacker can exploit the…

  • CVE-2016-9483CriJul 13, 2018
    risk 0.64cvss 9.8epss 0.03

    The PHP form code generated by PHP FormMail Generator deserializes untrusted input as part of the phpfmg_filman_download() function. A remote unauthenticated attacker may be able to use this vulnerability to inject PHP code, or along with CVE-2016-9484 to perform local file…

  • CVE-2018-1000525CriJun 26, 2018
    risk 0.64cvss 9.8epss 0.04

    openpsa contains a PHP Object Injection vulnerability in Form data passed as GET request variables that can result in Possible information disclosure and remote code execution. This attack appear to be exploitable via Specially crafted GET request variable containing serialised…

  • CVE-2017-3207CriJun 11, 2018
    risk 0.64cvss 9.8epss 0.08

    The Java implementations of AMF3 deserializers in WebORB for Java by Midnight Coders, version 5.1.1.0, derive class instances from java.io.Externalizable rather than the AMF3 specification's recommendation of flash.utils.IExternalizable. A remote attacker with the ability to…

  • CVE-2017-3202CriJun 11, 2018
    risk 0.64cvss 9.8epss 0.08

    The Java implementation of AMF3 deserializers used in Flamingo amf-serializer by Exadel, version 2.2.0, may allow instantiation of arbitrary classes via their public parameter-less constructor and subsequently call arbitrary Java Beans setter methods. The ability to exploit this…

  • CVE-2018-10085CriApr 13, 2018
    risk 0.64cvss 9.8epss 0.04

    CMS Made Simple (CMSMS) through 2.2.6 allows PHP object injection because of an unserialize call in the _get_data function of \lib\classes\internal\class.LoginOperations.php. By sending a crafted cookie, a remote attacker can upload and execute code, or delete files.

  • CVE-2018-1295CriApr 2, 2018
    risk 0.64cvss 9.8epss 0.07

    In Apache Ignite 2.3 or earlier, the serialization mechanism does not have a list of classes allowed for serialization/deserialization, which makes it possible to run arbitrary code when 3-rd party vulnerable classes are present in Ignite classpath. The vulnerability can be…

  • CVE-2015-2020CriMar 29, 2018
    risk 0.64cvss 9.8epss 0.03

    The MyScript SDK before 1.3 for Android might allow attackers to execute arbitrary code by leveraging a finalize method in a Serializable class that improperly passes an attacker-controlled pointer to a native function.

  • CVE-2018-1000059CriFeb 9, 2018
    risk 0.64cvss 9.8epss 0.02

    ValidFormBuilder version 4.5.4 contains a PHP Object Injection vulnerability in Valid Form unserialize method that can result in Possible to execute unauthorised system commands remotely and disclose file contents in file system.

  • CVE-2017-4947CriJan 29, 2018
    risk 0.64cvss 9.8epss 0.09

    VMware vRealize Automation (7.3 and 7.2) and vSphere Integrated Containers (1.x before 1.3) contain a deserialization vulnerability via Xenon. Successful exploitation of this issue may allow remote attackers to execute arbitrary code on the appliance.

  • CVE-2017-17406CriJan 23, 2018
    risk 0.64cvss 9.8epss 0.05

    This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Netgain Enterprise Manager. Authentication is not required to exploit this vulnerability. The specific flaw exists within an exposed RMI registry, which listens on TCP ports 1800…

  • CVE-2017-8045CriNov 27, 2017
    risk 0.64cvss 9.8epss 0.04

    In Pivotal Spring AMQP versions prior to 1.7.4, 1.6.11, and 1.5.7, an org.springframework.amqp.core.Message may be unsafely deserialized when being converted into a string. A malicious payload could be crafted to exploit this and enable a remote code execution attack.