Total
1839 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2024-8069 | 1 Citrix Session Recording | 1 Citrix Session Recording | 2024-11-15 | 8.8 High |
| Limited remote code execution with privilege of a NetworkService Account access in Citrix Session Recording if the attacker is an authenticated user on the same intranet as the session recording server | ||||
| CVE-2024-7434 | 2 Ultrapress, Ultrapressorg | 2 Ultrapress, Ultrapress | 2024-11-13 | 8.8 High |
| The UltraPress theme for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.2.1 via deserialization of untrusted input. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject a PHP Object. No known POP chain is present in the vulnerable software. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code. | ||||
| CVE-2024-7433 | 1 Ultrapress | 2 Empowerment, Empowerment Theme For Wordpress | 2024-11-13 | 8.8 High |
| The Empowerment theme for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.0.2 via deserialization of untrusted input. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject a PHP Object. No known POP chain is present in the vulnerable software. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code. | ||||
| CVE-2024-7432 | 2 Ultrapress, Ultrapressorg | 2 Unseen Blog, Unseen Blog | 2024-11-13 | 8.8 High |
| The Unseen Blog theme for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.0.0 via deserialization of untrusted input. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject a PHP Object. No known POP chain is present in the vulnerable software. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code. | ||||
| CVE-2024-47636 | 1 Eyecix | 1 Jobsearch Wp Job Board | 2024-11-12 | 9.8 Critical |
| Deserialization of Untrusted Data vulnerability in Eyecix JobSearch allows Object Injection.This issue affects JobSearch: from n/a through 2.5.9. | ||||
| CVE-2024-47074 | 1 Dataease | 1 Dataease | 2024-11-12 | 9.8 Critical |
| DataEase is an open source data visualization analysis tool. In Dataease, the PostgreSQL data source in the data source function can customize the JDBC connection parameters and the PG server target to be connected. In backend/src/main/java/io/dataease/provider/datasource/JdbcProvider.java, PgConfiguration class don't filter any parameters, directly concat user input. So, if the attacker adds some parameters in JDBC url, and connect to evil PG server, the attacker can trigger the PG jdbc deserialization vulnerability, and eventually the attacker can execute through the deserialization vulnerability system commands and obtain server privileges. The vulnerability has been fixed in v1.18.25. | ||||
| CVE-2024-47072 | 2 Redhat, X-stream | 3 Jboss Data Grid, Ocp Tools, X-stream | 2024-11-08 | 7.5 High |
| XStream is a simple library to serialize objects to XML and back again. This vulnerability may allow a remote attacker to terminate the application with a stack overflow error resulting in a denial of service only by manipulating the processed input stream when XStream is configured to use the BinaryStreamDriver. XStream 1.4.21 has been patched to detect the manipulation in the binary input stream causing the the stack overflow and raises an InputManipulationException instead. Users are advised to upgrade. Users unable to upgrade may catch the StackOverflowError in the client code calling XStream if XStream is configured to use the BinaryStreamDriver. | ||||
| CVE-2024-10749 | 1 Thinkadmin | 1 Thinkadmin | 2024-11-06 | 5 Medium |
| A vulnerability, which was classified as critical, was found in ThinkAdmin up to 6.1.67. Affected is the function script of the file /app/admin/controller/api/Plugs.php. The manipulation of the argument uptoken leads to deserialization. It is possible to launch the attack remotely. The complexity of an attack is rather high. The exploitability is told to be difficult. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2024-48206 | 1 Chainer | 1 Chainer | 2024-11-01 | 9.8 Critical |
| A Deserialization of Untrusted Data vulnerability in chainer v7.8.1.post1 leads to execution of arbitrary code. | ||||
| CVE-2024-50507 | 2024-11-01 | 9.8 Critical | ||
| Deserialization of Untrusted Data vulnerability in Daniel Schmitzer DS.DownloadList allows Object Injection.This issue affects DS.DownloadList: from n/a through 1.3. | ||||
| CVE-2024-48112 | 1 Thinkphp | 1 Thinkphp | 2024-11-01 | 9.8 Critical |
| A deserialization vulnerability in the component \controller\Index.php of Thinkphp v6.1.3 to v8.0.4 allows attackers to execute arbitrary code. | ||||
| CVE-2024-10456 | 1 Deltaww | 1 Infrasuite Device Master | 2024-11-01 | 9.8 Critical |
| Delta Electronics InfraSuite Device Master versions prior to 1.0.12 are affected by a deserialization vulnerability that targets the Device-Gateway, which could allow deserialization of arbitrary .NET objects prior to authentication. | ||||
| CVE-2021-4451 | 2 Ninjatechnologiesnetwork, Nintechnet | 2 Ninja Firewall, Ninjafirewall | 2024-10-30 | 6.6 Medium |
| The NinjaFirewall plugin for WordPress is vulnerable to Authenticated PHAR Deserialization in versions up to, and including, 4.3.3. This allows authenticated attackers to perform phar deserialization on the server. This deserialization can allow other plugin or theme exploits if vulnerable software is present (WordPress, and NinjaFirewall). | ||||
| CVE-2024-50416 | 1 Wpclever | 1 Wpc Shop As A Customer For Woocommerce | 2024-10-29 | 8.8 High |
| Deserialization of Untrusted Data vulnerability in WPClever WPC Shop as a Customer for WooCommerce allows Object Injection.This issue affects WPC Shop as a Customer for WooCommerce: from n/a through 1.2.6. | ||||
| CVE-2024-50408 | 1 Kibokolabs | 1 Namaste\! Lms | 2024-10-29 | 8.8 High |
| Deserialization of Untrusted Data vulnerability in Kiboko Labs Namaste! LMS allows Object Injection.This issue affects Namaste! LMS: from n/a through 2.6.3. | ||||
| CVE-2024-49684 | 1 Revmakx | 1 Backup And Staging By Wp Time Capsule | 2024-10-25 | 7.2 High |
| Deserialization of Untrusted Data vulnerability in Revmakx Backup and Staging by WP Time Capsule allows Object Injection.This issue affects Backup and Staging by WP Time Capsule: from n/a through 1.22.21. | ||||
| CVE-2024-49332 | 2 Giveaway Boost, Giveawayboost | 2 Giveaway Boost, Giveaway Boost | 2024-10-24 | 9.8 Critical |
| Deserialization of Untrusted Data vulnerability in Giveaway Boost allows Object Injection.This issue affects Giveaway Boost: from n/a through 2.1.4. | ||||
| CVE-2024-49625 | 2 Brandon Clark, Brandonclark | 2 Site Builder Dynamic Components, Sitebuilder Dynamic Components | 2024-10-24 | 9.8 Critical |
| Deserialization of Untrusted Data vulnerability in Brandon Clark SiteBuilder Dynamic Components allows Object Injection.This issue affects SiteBuilder Dynamic Components: from n/a through 1.0. | ||||
| CVE-2024-49624 | 1 Smartdevth | 1 Advanced Advertising System | 2024-10-24 | 9.8 Critical |
| Deserialization of Untrusted Data vulnerability in Smartdevth Advanced Advertising System allows Object Injection.This issue affects Advanced Advertising System: from n/a through 1.3.1. | ||||
| CVE-2024-49626 | 1 Piyushmca | 1 Shipyaari Shipping Management | 2024-10-23 | 9.8 Critical |
| Deserialization of Untrusted Data vulnerability in Piyushmca Shipyaari Shipping Management allows Object Injection.This issue affects Shipyaari Shipping Management: from n/a through 1.2. | ||||