Export limit exceeded: 362531 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (2943 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2024-10749 | 1 Thinkadmin | 1 Thinkadmin | 2024-11-06 | 5 Medium |
| A vulnerability, which was classified as critical, was found in ThinkAdmin up to 6.1.67. Affected is the function script of the file /app/admin/controller/api/Plugs.php. The manipulation of the argument uptoken leads to deserialization. It is possible to launch the attack remotely. The complexity of an attack is rather high. The exploitability is told to be difficult. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2024-10079 | 2 Newsignature, Wp Easy Post Types Project | 2 Wp Easy Post Types, Wp Easy Post Types | 2024-10-22 | 8.8 High |
| The WP Easy Post Types plugin for WordPress is vulnerable to PHP Object Injection in versions up to, and including, 1.4.4 via deserialization of untrusted input from the 'text' parameter in the 'ajax_import_content' function. This allows authenticated attackers, with subscriber-level permissions and above, to inject a PHP Object. No POP chain is present in the vulnerable plugin. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code. | ||||
| CVE-2024-9917 | 2 Huangdou, Usualtool | 2 Utcms, Usualtoolcms | 2024-10-19 | 6.3 Medium |
| A vulnerability, which was classified as critical, was found in HuangDou UTCMS V9. This affects an unknown part of the file app/modules/ut-template/admin/template_creat.php. The manipulation of the argument content leads to deserialization. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2024-47836 | 1 Admidio | 1 Admidio | 2024-10-18 | 3.5 Low |
| Admidio is an open-source user management solution. Prior to version 4.3.12, an unsafe deserialization vulnerability allows any unauthenticated user to execute arbitrary code on the server. Version 4.3.12 fixes this issue. | ||||
| CVE-2024-7576 | 1 Telerik | 1 Ui For Wpf | 2024-10-03 | 7.8 High |
| In Progress Telerik UI for WPF versions prior to 2024 Q3 (2024.3.924), a code execution attack is possible through an insecure deserialization vulnerability. | ||||
| CVE-2024-8316 | 1 Telerik | 1 Ui For Wpf | 2024-10-03 | 7.8 High |
| In Progress Telerik UI for WPF versions prior to 2024 Q3 (2024.3.924), a code execution attack is possible through an insecure deserialization vulnerability. | ||||
| CVE-2024-7351 | 1 Presstigers | 1 Simple Job Board | 2024-09-27 | 7.2 High |
| The Simple Job Board plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 2.12.3 via deserialization of untrusted input when editing job applications. This makes it possible for authenticated attackers, with Editor-level access and above, to inject a PHP Object. No known POP chain is present in the vulnerable software. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code. | ||||
| CVE-2024-8862 | 2 H2o, H2oai | 2 H2o, H2o-3 | 2024-09-20 | 7.3 High |
| A vulnerability, which was classified as critical, has been found in h2oai h2o-3 3.46.0.4. This issue affects the function getConnectionSafe of the file /dtale/chart-data/1 of the component JDBC Connection Handler. The manipulation of the argument query leads to deserialization. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2024-44902 | 1 Thinkphp | 1 Thinkphp | 2024-09-20 | 9.8 Critical |
| A deserialization vulnerability in Thinkphp v6.1.3 to v8.0.4 allows attackers to execute arbitrary code. | ||||
| CVE-2024-37288 | 1 Elastic | 1 Kibana | 2024-09-17 | 9.9 Critical |
| A deserialization issue in Kibana can lead to arbitrary code execution when Kibana attempts to parse a YAML document containing a crafted payload. This issue only affects users that use Elastic Security’s built-in AI tools https://www.elastic.co/guide/en/security/current/ai-for-security.html and have configured an Amazon Bedrock connector https://www.elastic.co/guide/en/security/current/assistant-connect-to-bedrock.html . | ||||
| CVE-2024-28991 | 1 Solarwinds | 1 Access Rights Manager | 2024-09-17 | 9 Critical |
| SolarWinds Access Rights Manager (ARM) was found to be susceptible to a remote code execution vulnerability. If exploited, this vulnerability would allow an authenticated user to abuse the service, resulting in remote code execution. | ||||
| CVE-2024-29847 | 1 Ivanti | 1 Endpoint Manager | 2024-09-17 | 9.8 Critical |
| Deserialization of untrusted data in the agent portal of Ivanti EPM before 2022 SU6, or the 2024 September update allows a remote unauthenticated attacker to achieve remote code execution. | ||||
| CVE-2024-45855 | 1 Mindsdb | 1 Mindsdb | 2024-09-16 | 7.1 High |
| Deserialization of untrusted data can occur in versions 23.10.2.0 and newer of the MindsDB platform, enabling a maliciously uploaded ‘inhouse’ model to run arbitrary code on the server when using ‘finetune’ on it. | ||||
| CVE-2024-45854 | 1 Mindsdb | 1 Mindsdb | 2024-09-16 | 7.1 High |
| Deserialization of untrusted data can occur in versions 23.10.3.0 and newer of the MindsDB platform, enabling a maliciously uploaded ‘inhouse’ model to run arbitrary code on the server when a ‘describe’ query is run on it. | ||||
| CVE-2024-45853 | 1 Mindsdb | 1 Mindsdb | 2024-09-16 | 7.1 High |
| Deserialization of untrusted data can occur in versions 23.10.2.0 and newer of the MindsDB platform, enabling a maliciously uploaded ‘inhouse’ model to run arbitrary code on the server when used for a prediction. | ||||
| CVE-2024-45852 | 1 Mindsdb | 1 Mindsdb | 2024-09-16 | 8.8 High |
| Deserialization of untrusted data can occur in versions 23.3.2.0 and newer of the MindsDB platform, enabling a maliciously uploaded model to run arbitrary code on the server when interacted with. | ||||
| CVE-2024-41874 | 1 Adobe | 1 Coldfusion | 2024-09-16 | 9.8 Critical |
| ColdFusion versions 2023.9, 2021.15 and earlier are affected by a Deserialization of Untrusted Data vulnerability that could result in arbitrary code execution in the context of the current user. An attacker could exploit this vulnerability by providing crafted input to the application, which when deserialized, leads to execution of malicious code. Exploitation of this issue does not require user interaction. | ||||
| CVE-2024-43931 | 1 Eyecix | 1 Jobsearch Wp Job Board | 2024-09-13 | 9.8 Critical |
| Deserialization of Untrusted Data vulnerability in eyecix JobSearch allows Object Injection.This issue affects JobSearch: from n/a through 2.5.3. | ||||
| CVE-2024-8255 | 1 Deltaww | 2 Dtn Soft, Dtnsoft | 2024-09-06 | 9.8 Critical |
| Delta Electronics DTN Soft version 2.0.1 and prior are vulnerable to an attacker achieving remote code execution through a deserialization of untrusted data vulnerability. | ||||
| CVE-2024-2694 | 1 Muffingroup | 1 Betheme | 2024-09-03 | 8.8 High |
| The Betheme theme for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 27.5.6 via deserialization of untrusted input of the 'mfn-page-items' post meta value. This makes it possible for authenticated attackers, with contributor-level access and above, to inject a PHP Object. No known POP chain is present in the vulnerable plugin. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code. | ||||