| CVE |
Vendors |
Products |
Updated |
CVSS v3.1 |
| Microsoft Exchange Server Remote Code Execution Vulnerability |
| Microsoft Exchange Server Remote Code Execution Vulnerability |
| Microsoft SharePoint Server Remote Code Execution Vulnerability |
| Microsoft SharePoint Server Remote Code Execution Vulnerability |
| In Splunk Enterprise versions lower than 8.2.12, 9.0.6, and 9.1.1, an attacker can execute a specially crafted query that they can then use to serialize untrusted data. The attacker can use the query to execute arbitrary code. |
| In Splunk Enterprise for Windows versions below 9.2.3 and 9.1.6, a low-privileged user that does not hold the "admin" or "power" Splunk roles could perform a Remote Code Execution (RCE) due to an insecure session storage configuration. |
| Microsoft Exchange Server Remote Code Execution Vulnerability |
| Microsoft Exchange Server Remote Code Execution Vulnerability |
| Microsoft Exchange Server Spoofing Vulnerability |
| Adobe ColdFusion versions 2018u18 (and earlier), 2021u8 (and earlier) and 2023u2 (and earlier) are affected by a Deserialization of Untrusted Data vulnerability that could result in Arbitrary code execution. Exploitation of this issue does not require user interaction. |
|
A CWE-502: Deserialization of untrusted data vulnerability exists that could allow an attacker to
execute arbitrary code on the targeted system by sending a specifically crafted packet to the
application.
|
| A vulnerability classified as problematic was found in b1gMail up to 7.4.1-pl1. Affected by this vulnerability is an unknown functionality of the file src/admin/users.php of the component Admin Page. The manipulation of the argument query/q leads to deserialization. The attack can be launched remotely. Upgrading to version 7.4.1-pl2 is able to address this issue. The identifier of the patch is 4816c8b748f6a5b965c8994e2cf10861bf6e68aa. It is recommended to upgrade the affected component. The vendor acted highly professional and even fixed this issue in the discontinued commercial edition as b1gMail 7.4.0-pl3. |
| Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal'), Deserialization of Untrusted Data vulnerability in BdThemes Element Pack Pro allows Path Traversal, Object Injection.This issue affects Element Pack Pro: from n/a before 7.19.3. |
| The Lead Generated WordPress Plugin, version <= 1.23, was affected by an unauthenticated insecure deserialization issue. The tve_labels parameter of the tve_api_form_submit action is passed to the PHP unserialize() function without being sanitized or verified, and as a result could lead to PHP object injection, which when combined with certain class implementations / gadget chains could be leveraged to perform a variety of malicious actions granted a POP chain is also present. |
| Snappy is a PHP library allowing thumbnail, snapshot or PDF generation from a url or a html page. Prior to version 1.4.2, Snappy is vulnerable to PHAR deserialization due to a lack of checking on the protocol before passing it into the `file_exists()` function. If an attacker can upload files of any type to the server he can pass in the phar:// protocol to unserialize the uploaded file and instantiate arbitrary PHP objects. This can lead to remote code execution especially when snappy is used with frameworks with documented POP chains like Laravel/Symfony vulnerable developer code. If a user can control the output file from the `generateFromHtml()` function, it will invoke deserialization. This vulnerability is capable of remote code execution if Snappy is used with frameworks or developer code with vulnerable POP chains. It has been fixed in version 1.4.2. |
| Deserialization of Untrusted Data vulnerability in 8theme XStore Core.This issue affects XStore Core: from n/a through 5.3.5.
|
| PHP Object Injection vulnerability in Easy Digital Downloads plugin <= 3.0.1 at WordPress. |
| Auth. (subscriber+) PHP Object Injection vulnerability in Betheme theme <= 26.5.1.4 on WordPress. |
| The usc-e-shop (aka Collne Welcart e-Commerce) plugin before 1.9.36 for WordPress allows Object Injection because of usces_unserialize. There is not a complete POP chain. |
| A vulnerability was found in dayrui XunRuiCMS 4.6.3. It has been classified as critical. Affected is the function import_add of the file dayrui/Fcms/Control/Admin/Linkage.php. The manipulation leads to deserialization. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. |
