VYPR

CWE-502

Deserialization of Untrusted Data

BaseDraftLikelihood: Medium

Description

The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.

Hierarchy (View 1000)

Parents

Children

none

Related attack patterns (CAPEC)

CAPEC-586

CVEs mapped to this weakness (1,721)

page 36 of 87
  • CVE-2024-1685HigMar 16, 2024
    risk 0.57cvss 8.8epss 0.01

    The Social Media Share Buttons plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 2.1.0 via deserialization of untrusted input through the attachmentUrl parameter. This makes it possible for authenticated attackers, with…

  • CVE-2024-2006HigMar 13, 2024
    risk 0.57cvss 8.8epss 0.01

    The Post Grid, Slider & Carousel Ultimate – with Shortcode, Gutenberg Block & Elementor Widget plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.6.7 via deserialization of untrusted input in the outpost_shortcode_metabox_markup…

  • CVE-2024-1772HigMar 13, 2024
    risk 0.57cvss 8.8epss 0.01

    The Play.ht – Make Your Blog Posts Accessible With Text to Speech Audio plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 3.6.4 via deserialization of untrusted input from the play_podcast_data post meta. This makes it possible…

  • CVE-2024-1773HigMar 7, 2024
    risk 0.57cvss 8.8epss 0.01

    The PDF Invoices and Packing Slips For WooCommerce plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.3.7 via deserialization of untrusted input via the order_id parameter. This makes it possible for authenticated attackers, with…

  • CVE-2024-1731HigMar 5, 2024
    risk 0.57cvss 8.8epss 0.01

    The Auto Refresh Single Page plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.1 via deserialization of untrusted input from the arsp_options post meta option. This makes it possible for authenticated attackers, with…

  • CVE-2024-0825HigMar 5, 2024
    risk 0.57cvss 8.8epss 0.01

    The Vimeography: Vimeo Video Gallery WordPress Plugin plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 2.3.2 via deserialization of untrusted input via the vimeography_duplicate_gallery_serialized in the duplicate_gallery function.…

  • CVE-2024-1859HigMar 1, 2024
    risk 0.57cvss 8.8epss 0.01

    The Slider Responsive Slideshow – Image slider, Gallery slideshow plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.3.8 via deserialization of untrusted input to the awl_slider_responsive_shortcode function. This makes it…

  • CVE-2024-23512HigFeb 12, 2024
    risk 0.57cvss 8.7epss 0.01

    Deserialization of Untrusted Data vulnerability in wpxpo ProductX – WooCommerce Builder & Gutenberg WooCommerce Blocks.This issue affects ProductX – WooCommerce Builder & Gutenberg WooCommerce Blocks: from n/a through 3.1.4.

  • CVE-2024-23513HigFeb 12, 2024
    risk 0.57cvss 8.7epss 0.01

    Deserialization of Untrusted Data vulnerability in PropertyHive.This issue affects PropertyHive: from n/a through 2.0.5.

  • CVE-2024-22309HigJan 24, 2024
    risk 0.57cvss 8.7epss 0.01

    Deserialization of Untrusted Data vulnerability in QuantumCloud ChatBot with AI.This issue affects ChatBot with AI: from n/a through 5.1.0.

  • CVE-2024-23636CriJan 23, 2024
    risk 0.57cvss 9.8epss 0.01

    SOFARPC is a Java RPC framework. SOFARPC defaults to using the SOFA Hessian protocol to deserialize received data, while the SOFA Hessian protocol uses a blacklist mechanism to restrict deserialization of potentially dangerous classes for security protection. But, prior to…

  • CVE-2017-20189CriJan 22, 2024
    risk 0.57cvss 9.8epss 0.01

    In Clojure before 1.9.0, classes can be used to construct a serialized object that executes arbitrary code upon deserialization. This is relevant if a server deserializes untrusted objects.

  • CVE-2024-23730CriJan 21, 2024
    risk 0.57cvss 9.8epss 0.01

    The OpenAPI and ChatGPT plugin loaders in LlamaHub (aka llama-hub) before 0.0.67 allow attackers to execute arbitrary code because safe_load is not used for YAML.

  • CVE-2023-48887CriDec 1, 2023
    risk 0.57cvss 9.8epss 0.02

    A deserialization vulnerability in Jupiter v1.3.1 allows attackers to execute arbitrary commands via sending a crafted RPC request.

  • CVE-2022-41678HigNov 28, 2023
    risk 0.57cvss 8.8epss 0.86

    Once an user is authenticated on Jolokia, he can potentially trigger arbitrary code execution.  In details, in ActiveMQ configurations, jetty allows org.jolokia.http.AgentServlet to handler request to /api/jolokia org.jolokia.http.HttpRequestHandler#handlePostRequest is able…

  • CVE-2023-46302CriNov 20, 2023
    risk 0.57cvss 9.8epss 0.02

    Apache Software Foundation Apache Submarine has a bug when serializing against yaml. The bug is caused by snakeyaml https://nvd.nist.gov/vuln/detail/CVE-2022-1471 . Apache Submarine uses JAXRS to define REST endpoints. In order to handle YAML requests (using application/yaml…

  • CVE-2023-47204CriNov 2, 2023
    risk 0.57cvss 9.8epss 0.01

    Unsafe YAML deserialization in yaml.Loader in transmute-core before 1.13.5 allows attackers to execute arbitrary Python code.

  • CVE-2023-5583HigOct 30, 2023
    risk 0.57cvss 8.8epss 0.01

    The WP Simple Galleries plugin for WordPress is vulnerable to PHP Object Injection in versions up to, and including, 1.34 via deserialization of untrusted input from the 'wpsimplegallery_gallery' post meta via 'wpsgallery' shortcode. This allows authenticated attackers, with…

  • CVE-2023-43668CriOct 16, 2023
    risk 0.57cvss 9.8epss 0.01

    Authorization Bypass Through User-Controlled Key vulnerability in Apache InLong.This issue affects Apache InLong: from 1.4.0 through 1.8.0,  some sensitive params checks will be bypassed, like "autoDeserizalize","allowLoadLocalInfile".... .   Users are advised to upgrade…

  • CVE-2023-41330CriSep 6, 2023
    risk 0.57cvss 9.8epss 0.02

    knplabs/knp-snappy is a PHP library allowing thumbnail, snapshot or PDF generation from a url or a html page. ## Issue On March 17th the vulnerability CVE-2023-28115 was disclosed, allowing an attacker to gain remote code execution through PHAR deserialization. Version 1.4.2…