Total
1363 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2020-9301 | 1 Linuxfoundation | 1 Spinnaker | 2020-12-14 | 6.5 MEDIUM | 8.8 HIGH |
| Nolan Ray from Apple Information Security identified a security vulnerability in Spinnaker, all versions prior to version 1.23.4, 1.22.4 or 1.21.5. The vulnerability exists within the handling of SpEL expressions that allows an attacker to read and write arbitrary files within the orca container via authenticated HTTP POST requests. | |||||
| CVE-2020-5664 | 1 Riken | 1 Xoonips | 2020-11-20 | 7.5 HIGH | 9.8 CRITICAL |
| Deserialization of untrusted data vulnerability in XooNIps 3.49 and earlier allows remote attackers to execute arbitrary code via unspecified vectors. | |||||
| CVE-2020-26207 | 1 Databaseschemareader Project | 1 Dbschemareader | 2020-11-19 | 6.8 MEDIUM | 8.0 HIGH |
| DatabaseSchemaViewer before version 2.7.4.3 is vulnerable to arbitrary code execution if a user is tricked into opening a specially crafted `.dbschema` file. The patch was released in v2.7.4.3. As a workaround, ensure `.dbschema` files from untrusted sources are not opened. | |||||
| CVE-2020-10721 | 1 Redhat | 1 Fabric8-maven | 2020-10-27 | 6.9 MEDIUM | 7.8 HIGH |
| A flaw was found in the fabric8-maven-plugin 4.0.0 and later. When using a wildfly-swarm or thorntail custom configuration, a malicious YAML configuration file on the local machine executing the maven plug-in could allow for deserialization of untrusted data resulting in arbitrary code execution. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability. | |||||
| CVE-2020-26945 | 1 Mybatis | 1 Mybatis | 2020-10-26 | 5.1 MEDIUM | 8.1 HIGH |
| MyBatis before 3.5.6 mishandles deserialization of object streams. | |||||
| CVE-2020-12133 | 1 Farukawa | 1 Electric Consciousmap | 2020-10-23 | 10.0 HIGH | 9.8 CRITICAL |
| The Apros Evolution, ConsciusMap, and Furukawa provisioning systems through 2.8.1 allow remote code execution because of javax.faces.ViewState Java deserialization. | |||||
| CVE-2020-24648 | 1 Hp | 1 Intelligent Management Center | 2020-10-21 | 10.0 HIGH | 9.8 CRITICAL |
| A accessmgrservlet classname deserialization of untrusted data remote code execution vulnerability was discovered in HPE Intelligent Management Center (iMC) version(s): Prior to iMC PLAT 7.3 (E0705P07). | |||||
| CVE-2020-7811 | 2 Microsoft, Samsung | 2 Windows, Update | 2020-10-19 | 4.6 MEDIUM | 7.8 HIGH |
| Samsung Update 3.0.2.0 ~ 3.0.32.0 has a vulnerability that allows privilege escalation as commands crafted by attacker are executed while the engine deserializes the data received during inter-process communication | |||||
| CVE-2020-14030 | 1 Ozeki | 1 Ozeki Ng Sms Gateway | 2020-10-09 | 6.5 MEDIUM | 7.2 HIGH |
| An issue was discovered in Ozeki NG SMS Gateway through 4.17.6. It stores SMS messages in .NET serialized format on the filesystem. By generating (and writing to the disk) malicious .NET serialized files, an attacker can trick the product into deserializing them, resulting in arbitrary code execution. | |||||
| CVE-2020-15172 | 1 Fluffycogs Project | 1 Fluffycogs | 2020-10-08 | 6.5 MEDIUM | 8.8 HIGH |
| The Act module for Red Discord Bot before commit 6b9f3b86 is vulnerable to Remote Code Execution. With this exploit, Discord users can use specially crafted messages to perform destructive actions and/or access sensitive information. Unloading the Act module with `unload act` can render this exploit inaccessible. | |||||
| CVE-2019-16774 | 1 Phpfastcache | 1 Phpfastcache | 2020-10-07 | 7.5 HIGH | 9.8 CRITICAL |
| In phpfastcache before 5.1.3, there is a possible object injection vulnerability in cookie driver. | |||||
| CVE-2018-16364 | 1 Zohocorp | 1 Manageengine Applications Manager | 2020-09-29 | 9.3 HIGH | 8.1 HIGH |
| A serialization vulnerability in Zoho ManageEngine Applications Manager before build 13740 allows for remote code execution on Windows via a payload on an SMB share. | |||||
| CVE-2020-15188 | 1 Brassica | 1 Soy Cms | 2020-09-29 | 6.8 MEDIUM | 9.8 CRITICAL |
| SOY CMS 3.0.2.327 and earlier is affected by Unauthenticated Remote Code Execution (RCE). The allows remote attackers to execute any arbitrary code when the inquiry form feature is enabled by the service. The vulnerability is caused by unserializing the form without any restrictions. This was fixed in 3.0.2.328. | |||||
| CVE-2020-15148 | 1 Yiiframework | 1 Yii | 2020-09-22 | 7.5 HIGH | 10.0 CRITICAL |
| Yii 2 (yiisoft/yii2) before version 2.0.38 is vulnerable to remote code execution if the application calls `unserialize()` on arbitrary user input. This is fixed in version 2.0.38. A possible workaround without upgrading is available in the linked advisory. | |||||
| CVE-2020-7528 | 1 Schneider-electric | 1 Scadapack 7x Remote Connect | 2020-09-21 | 6.8 MEDIUM | 7.8 HIGH |
| A CWE-502 Deserialization of Untrusted Data vulnerability exists in SCADAPack 7x Remote Connect (V3.6.3.574 and prior) which could allow arbitrary code execution when an attacker builds a custom .PRJ file containing a malicious serialized buffer. | |||||
| CVE-2020-7532 | 1 Schneider-electric | 1 Scadapack X70 Security Administrator | 2020-09-21 | 6.8 MEDIUM | 7.8 HIGH |
| A CWE-502 Deserialization of Untrusted Data vulnerability exists in SCADAPack x70 Security Administrator (V1.2.0 and prior) which could allow arbitrary code execution when an attacker builds a custom .SDB file containing a malicious serialized buffer. | |||||
| CVE-2018-3784 | 1 Cryo Project | 1 Cryo | 2020-09-18 | 7.5 HIGH | 9.8 CRITICAL |
| A code injection in cryo 0.0.6 allows an attacker to arbitrarily execute code due to insecure implementation of deserialization. | |||||
| CVE-2014-1420 | 1 Canonical | 1 Ubuntu-ui-toolkit | 2020-09-16 | 2.1 LOW | 3.3 LOW |
| On desktop, Ubuntu UI Toolkit's StateSaver would serialise data on tmp/ files which an attacker could use to expose potentially sensitive data. StateSaver would also open files without the O_EXCL flag. An attacker could exploit this to launch a symlink attack, though this is partially mitigated by symlink and hardlink restrictions in Ubuntu. Fixed in 1.1.1188+14.10.20140813.4-0ubuntu1. | |||||
| CVE-2018-15425 | 1 Cisco | 1 Identity Services Engine | 2020-09-16 | 6.5 MEDIUM | 4.7 MEDIUM |
| A vulnerability in the web-based management interface of Cisco Identity Services Engine (ISE) could allow an authenticated, remote attacker to execute arbitrary commands on the underlying operating system of an affected device with the privileges of the web server. | |||||
| CVE-2020-4521 | 1 Ibm | 1 Maximo Asset Management | 2020-09-16 | 9.0 HIGH | 8.8 HIGH |
| IBM Maximo Asset Management 7.6.0 and 7.6.1 could allow a remote authenticated attacker to execute arbitrary code on the system, caused by an unsafe deserialization in Java. By sending specially-crafted request, an attacker could exploit this vulnerability to execute arbitrary code on the system. IBM X-Force ID: 182396. | |||||