VYPR

CWE-502

Deserialization of Untrusted Data

BaseDraftLikelihood: Medium

Description

The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.

Hierarchy (View 1000)

Parents

Children

none

Related attack patterns (CAPEC)

CAPEC-586

CVEs mapped to this weakness (1,721)

page 4 of 87
  • CVE-2024-25100CriFeb 12, 2024
    risk 0.65cvss 10.0epss 0.01

    Deserialization of Untrusted Data vulnerability in WP Swings Coupon Referral Program allows Object Injection.This issue affects Coupon Referral Program: from n/a before 1.8.4.

  • CVE-2023-52225CriJan 8, 2024
    risk 0.65cvss 10.0epss 0.01

    Deserialization of Untrusted Data vulnerability in Tagbox Tagbox – UGC Galleries, Social Media Widgets, User Reviews & Analytics.This issue affects Tagbox – UGC Galleries, Social Media Widgets, User Reviews & Analytics: from n/a through 3.1.

  • CVE-2023-52218CriJan 8, 2024
    risk 0.65cvss 10.0epss 0.01

    Deserialization of Untrusted Data vulnerability in Anton Bond Woocommerce Tranzila Payment Gateway.This issue affects Woocommerce Tranzila Payment Gateway: from n/a through 1.0.8.

  • CVE-2023-52181CriDec 31, 2023
    risk 0.65cvss 10.0epss 0.01

    Deserialization of Untrusted Data vulnerability in Presslabs Theme per user.This issue affects Theme per user: from n/a through 1.0.1.

  • CVE-2023-51505CriDec 29, 2023
    risk 0.65cvss 10.0epss 0.01

    Deserialization of Untrusted Data vulnerability in realmag777 Active Products Tables for WooCommerce. Professional products tables for WooCommerce store.This issue affects Active Products Tables for WooCommerce. Professional products tables for WooCommerce store : from n/a…

  • CVE-2023-49778CriDec 21, 2023
    risk 0.65cvss 10.0epss 0.01

    Deserialization of Untrusted Data vulnerability in Hakan Demiray Sayfa Sayac.This issue affects Sayfa Sayac: from n/a through 2.6.

  • CVE-2023-49773CriDec 20, 2023
    risk 0.65cvss 10.0epss 0.01

    Deserialization of Untrusted Data vulnerability in Tim Brattberg BCorp Shortcodes.This issue affects BCorp Shortcodes: from n/a through 0.23.

  • CVE-2023-49772CriDec 20, 2023
    risk 0.65cvss 10.0epss 0.01

    Deserialization of Untrusted Data vulnerability in Phpbits Creative Studio Genesis Simple Love.This issue affects Genesis Simple Love: from n/a through 2.0.

  • CVE-2016-9498CriJul 13, 2018
    risk 0.65cvss 9.8epss 0.22

    ManageEngine Applications Manager 12 and 13 before build 13200, allows unserialization of unsafe Java objects. The vulnerability can be exploited by remote user without authentication and it allows to execute remote code compromising the application as well as the operating…

  • CVE-2017-5790CriFeb 15, 2018
    risk 0.65cvss 9.8epss 0.18

    A remote deserialization of untrusted data vulnerability in HPE Intelligent Management Center (IMC) PLAT version 7.2 E0403P06 was found.

  • CVE-2016-8511CriFeb 15, 2018
    risk 0.65cvss 9.8epss 0.16

    A Remote Code Execution vulnerability in HPE Network Automation using RPCServlet and Java Deserialization version v9.1x, v9.2x, v10.00, v10.00.01, v10.00.02, v10.10, v10.11, v10.11.01, v10.20 was found.

  • CVE-2016-6814CriJan 18, 2018
    risk 0.65cvss 9.8epss 0.17

    When an application with unsupported Codehaus versions of Groovy from 1.7.0 to 2.4.3, Apache Groovy 2.4.4 to 2.4.7 on classpath uses standard Java serialization mechanisms, e.g. to communicate between servers or to store local data, it was possible for an attacker to bake a…

  • CVE-2017-15708CriDec 11, 2017
    risk 0.65cvss 9.8epss 0.18

    In Apache Synapse, by default no authentication is required for Java Remote Method Invocation (RMI). So Apache Synapse 3.0.1 or all previous releases (3.0.0, 2.1.0, 2.0.0, 1.2, 1.1.2, 1.1.1) allows remote code execution attacks that can be performed by injecting specially…

  • CVE-2016-5003CriOct 27, 2017
    risk 0.65cvss 9.8epss 0.15

    The Apache XML-RPC (aka ws-xmlrpc) library 3.1.3, as used in Apache Archiva, allows remote attackers to execute arbitrary code via a crafted serialized Java object in an <ex:serializable> element.

  • CVE-2017-5983CriApr 10, 2017
    risk 0.65cvss 9.8epss 0.16

    The JIRA Workflow Designer Plugin in Atlassian JIRA Server before 6.3.0 improperly uses an XML parser and deserializer, which allows remote attackers to execute arbitrary code, read arbitrary files, or cause a denial of service via a crafted serialized Java object.

  • CVE-2014-8731CriMar 23, 2017
    risk 0.65cvss 9.8epss 0.12

    PHPMemcachedAdmin 1.2.2 and earlier allows remote attackers to execute arbitrary PHP code via vectors related "serialized data and the last part of the concatenated filename," which creates a file in webroot.

  • CVE-2016-6330CriSep 27, 2016
    risk 0.65cvss 9.8epss 0.11

    The server in Red Hat JBoss Operations Network (JON), when SSL authentication is not configured for JON server / agent communication, allows remote attackers to execute arbitrary code via a crafted HTTP request, related to message deserialization. NOTE: this vulnerability…

  • CVE-2016-7124CriSep 12, 2016
    risk 0.65cvss 9.8epss 0.16

    ext/standard/var_unserializer.c in PHP before 5.6.25 and 7.x before 7.0.10 mishandles certain invalid objects, which allows remote attackers to cause a denial of service or possibly have unspecified other impact via crafted serialized data that leads to a (1) __destruct call or…

  • CVE-2015-6420CriDec 15, 2015
    risk 0.65cvss 9.8epss 0.19

    Serialized-object interfaces in certain Cisco Collaboration and Social Media; Endpoint Clients and Client Software; Network Application, Service, and Acceleration; Network and Content Security Devices; Network Management and Provisioning; Routing and Switching - Enterprise and…

  • CVE-2026-9691CriJun 15, 2026
    risk 0.64cvss 9.8epss 0.00

    Unauthenticated PHP Object Injection in Integration for ActiveCampaign and Contact Form 7, WPForms, Elementor, Ninja Forms <= 1.1.1 versions.