Export limit exceeded: 360766 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (3033 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2021-32828 | 1 Hyland | 1 Nuxeo | 2025-03-10 | 5.4 Medium |
| The Nuxeo Platform is an open source content management platform for building business applications. In version 11.5.109, the `oauth2` REST API is vulnerable to Reflected Cross-Site Scripting (XSS). This XSS can be escalated to Remote Code Execution (RCE) by levering the automation API. | ||||
| CVE-2023-25558 | 1 Datahub Project | 1 Datahub | 2025-03-10 | 7.5 High |
| DataHub is an open-source metadata platform. When the DataHub frontend is configured to authenticate via SSO, it will leverage the pac4j library. The processing of the `id_token` is done in an unsafe manner which is not properly accounted for by the DataHub frontend. Specifically, if any of the id_token claims value start with the {#sb64} prefix, pac4j considers the value to be a serialized Java object and will deserialize it. This issue may lead to Remote Code Execution (RCE) in the worst case. Although a `RestrictedObjectInputStream` is in place, that puts some restriction on what classes can be deserialized, it still allows a broad range of java packages and potentially exploitable with different gadget chains. Users are advised to upgrade. There are no known workarounds. This vulnerability was discovered and reported by the GitHub Security lab and is tracked as GHSL-2022-086. | ||||
| CVE-2022-23535 | 1 Litedb | 1 Litedb | 2025-03-10 | 7.3 High |
| LiteDB is a small, fast and lightweight .NET NoSQL embedded database. Versions prior to 5.0.13 are subject to Deserialization of Untrusted Data. LiteDB uses a special field in JSON documents to cast different types from `BsonDocument` to POCO classes. When instances of an object are not the same of class, `BsonMapper` use a special field `_type` string info with full class name with assembly to be loaded and fit into your model. If your end-user can send to your app a plain JSON string, deserialization can load an unsafe object to fit into your model. This issue is patched in version 5.0.13 with some basic fixes to avoid this, but is not 100% guaranteed when using `Object` type. The next major version will contain an allow-list to select what kind of Assembly can be loaded. Workarounds are detailed in the vendor advisory. | ||||
| CVE-2024-36984 | 1 Splunk | 2 Enterprise Security, Splunk | 2025-03-07 | 8.8 High |
| In Splunk Enterprise versions below 9.2.2, 9.1.5, and 9.0.10 on Windows, an authenticated user could execute a specially crafted query that they could then use to serialize untrusted data. The attacker could use the query to execute arbitrary code. | ||||
| CVE-2023-26779 | 1 Yf-exam Project | 1 Yf-exam | 2025-03-06 | 9.8 Critical |
| CleverStupidDog yf-exam v 1.8.0 is vulnerable to Deserialization which can lead to remote code execution (RCE). | ||||
| CVE-2021-28254 | 1 Laravel | 1 Laravel | 2025-03-05 | 9.8 Critical |
| A deserialization vulnerability in the destruct() function of Laravel v8.5.9 allows attackers to execute arbitrary commands. | ||||
| CVE-2023-3001 | 1 Schneider-electric | 1 Igss Dashboard | 2025-03-05 | 7.8 High |
| A CWE-502: Deserialization of Untrusted Data vulnerability exists in the Dashboard module that could cause an interpretation of malicious payload data, potentially leading to remote code execution when an attacker gets the user to open a malicious file. | ||||
| CVE-2024-31903 | 1 Ibm | 1 Sterling B2b Integrator | 2025-03-05 | 8.8 High |
| IBM Sterling B2B Integrator Standard Edition 6.0.0.0 through 6.1.2.5 and 6.2.0.0 through 6.2.0.2 allow an attacker on the local network to execute arbitrary code on the system, caused by the deserialization of untrusted data. | ||||
| CVE-2024-50181 | 2025-03-03 | 5.5 Medium | ||
| This CVE ID has been rejected or withdrawn by its CVE Numbering Authority. | ||||
| CVE-2024-5352 | 1 Anji-plus | 1 Aj-report | 2025-03-01 | 6.3 Medium |
| A vulnerability was found in anji-plus AJ-Report up to 1.4.1. It has been rated as critical. Affected by this issue is the function validationRules of the component com.anjiplus.template.gaea.business.modules.datasetparam.controller.DataSetParamController#verification. The manipulation leads to deserialization. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-266264. | ||||
| CVE-2024-5351 | 1 Anji-plus | 1 Aj-report | 2025-03-01 | 6.3 Medium |
| A vulnerability was found in anji-plus AJ-Report up to 1.4.1. It has been declared as critical. Affected by this vulnerability is the function getValueFromJs of the component Javascript Handler. The manipulation leads to deserialization. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-266263. | ||||
| CVE-2024-37099 | 2 Givewp, Liquidweb | 2 Givewp, Givewp | 2025-02-28 | 10 Critical |
| Deserialization of Untrusted Data vulnerability in Liquid Web GiveWP allows Object Injection.This issue affects GiveWP: from n/a through 3.14.1. | ||||
| CVE-2023-21744 | 1 Microsoft | 2 Sharepoint Foundation, Sharepoint Server | 2025-02-28 | 8.8 High |
| Microsoft SharePoint Server Remote Code Execution Vulnerability | ||||
| CVE-2023-21745 | 1 Microsoft | 1 Exchange Server | 2025-02-28 | 8 High |
| Microsoft Exchange Server Spoofing Vulnerability | ||||
| CVE-2023-21762 | 1 Microsoft | 1 Exchange Server | 2025-02-28 | 8 High |
| Microsoft Exchange Server Spoofing Vulnerability | ||||
| CVE-2023-21707 | 1 Microsoft | 1 Exchange Server | 2025-02-28 | 8.8 High |
| Microsoft Exchange Server Remote Code Execution Vulnerability | ||||
| CVE-2023-21710 | 1 Microsoft | 1 Exchange Server | 2025-02-28 | 7.2 High |
| Microsoft Exchange Server Remote Code Execution Vulnerability | ||||
| CVE-2023-28310 | 1 Microsoft | 1 Exchange Server | 2025-02-28 | 8 High |
| Microsoft Exchange Server Remote Code Execution Vulnerability | ||||
| CVE-2023-32031 | 1 Microsoft | 1 Exchange Server | 2025-02-28 | 8.8 High |
| Microsoft Exchange Server Remote Code Execution Vulnerability | ||||
| CVE-2023-33134 | 1 Microsoft | 1 Sharepoint Server | 2025-02-28 | 8.8 High |
| Microsoft SharePoint Server Remote Code Execution Vulnerability | ||||