Total
2270 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2021-35218 | 1 Solarwinds | 1 Orion Platform | 2024-11-21 | 8.9 High |
| Deserialization of Untrusted Data in the Web Console Chart Endpoint can lead to remote code execution. An unauthorized attacker who has network access to the Orion Patch Manager Web Console could potentially exploit this and compromise the server | ||||
| CVE-2021-35217 | 1 Solarwinds | 1 Patch Manager | 2024-11-21 | 8.9 High |
| Insecure Deseralization of untrusted data remote code execution vulnerability was discovered in Patch Manager Orion Platform Integration module and reported to us by ZDI. An Authenticated Attacker could exploit it by executing WSAsyncExecuteTasks deserialization of untrusted data. | ||||
| CVE-2021-35216 | 1 Solarwinds | 1 Patch Manager | 2024-11-21 | 8.9 High |
| Insecure Deserialization of untrusted data remote code execution vulnerability was discovered in Patch Manager Orion Platform Integration module. An Authenticated Attacker with network access via HTTP can compromise this vulnerability can result in Remote Code Execution. | ||||
| CVE-2021-35215 | 1 Solarwinds | 1 Orion Platform | 2024-11-21 | 8.9 High |
| Insecure deserialization leading to Remote Code Execution was detected in the Orion Platform version 2020.2.5. Authentication is required to exploit this vulnerability. | ||||
| CVE-2021-35196 | 1 Theologeek | 1 Manuskript | 2024-11-21 | 7.8 High |
| Manuskript through 0.12.0 allows remote attackers to execute arbitrary code via a crafted settings.pickle file in a project file, because there is insecure deserialization via the pickle.load() function in settings.py. NOTE: the vendor's position is that the product is not intended for opening an untrusted project file | ||||
| CVE-2021-35095 | 1 Qualcomm | 20 Ar8035, Ar8035 Firmware, Qca8081 and 17 more | 2024-11-21 | 8.4 High |
| Improper serialization of message queue client registration can lead to race condition allowing multiple gunyah message clients to register with same label in Snapdragon Connectivity, Snapdragon Mobile | ||||
| CVE-2021-34992 | 1 Orckestra | 1 C1 Cms | 2024-11-21 | 8.8 High |
| This vulnerability allows remote attackers to execute arbitrary code on affected installations of Orckestra C1 CMS 6.10. Authentication is required to exploit this vulnerability. The specific flaw exists within Composite.dll. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code in the context of the service account. Was ZDI-CAN-14740. | ||||
| CVE-2021-34520 | 1 Microsoft | 2 Sharepoint Foundation, Sharepoint Server | 2024-11-21 | 8.1 High |
| Microsoft SharePoint Server Remote Code Execution Vulnerability | ||||
| CVE-2021-34394 | 1 Nvidia | 9 Jetson Agx Xavier 16gb, Jetson Agx Xavier 32gb, Jetson Agx Xavier 8gb and 6 more | 2024-11-21 | 4.2 Medium |
| Trusty contains a vulnerability in the NVIDIA OTE protocol that is present in all TAs. An incorrect message stream deserialization allows an attacker to use the malicious CA that is run by the user to cause the buffer overflow, which may lead to information disclosure and data modification. | ||||
| CVE-2021-34393 | 1 Nvidia | 10 Jetson Agx Xavier 16gb, Jetson Agx Xavier 32gb, Jetson Agx Xavier 8gb and 7 more | 2024-11-21 | 4.2 Medium |
| Trusty contains a vulnerability in TSEC TA which deserializes the incoming messages even though the TSEC TA does not expose any command. This vulnerability might allow an attacker to exploit the deserializer to impact code execution, causing information disclosure. | ||||
| CVE-2021-34371 | 1 Neo4j | 1 Neo4j | 2024-11-21 | 9.8 Critical |
| Neo4j through 3.4.18 (with the shell server enabled) exposes an RMI service that arbitrarily deserializes Java objects, e.g., through setSessionVariable. An attacker can abuse this for remote code execution because there are dependencies with exploitable gadget chains. | ||||
| CVE-2021-34066 | 1 Edgegallery | 1 Developer-be | 2024-11-21 | 9.8 Critical |
| An issue was discovered in EdgeGallery/developer before v1.0. There is a "Deserialization of yaml file" vulnerability that can allow attackers to execute system command through uploading the malicious constructed YAML file. | ||||
| CVE-2021-33898 | 1 Invoiceninja | 1 Invoice Ninja | 2024-11-21 | 8.1 High |
| In Invoice Ninja before 4.4.0, there is an unsafe call to unserialize() in app/Ninja/Repositories/AccountRepository.php that may allow an attacker to deserialize arbitrary PHP classes. In certain contexts, this can result in remote code execution. The attacker's input must be hosted at http://www.geoplugin.net (cleartext HTTP), and thus a successful attack requires spoofing that site or obtaining control of it. | ||||
| CVE-2021-33806 | 1 Bdew | 1 Bdlib | 2024-11-21 | 9.8 Critical |
| The BDew BdLib library before 1.16.1.7 for Minecraft allows remote code execution because it deserializes untrusted data in ObjectInputStream.readObject as part of its use of Java serialization. | ||||
| CVE-2021-33790 | 2 Minecraft, Techreborn | 2 Minecraft, Reborncore | 2024-11-21 | 9.8 Critical |
| The RebornCore library before 4.7.3 allows remote code execution because it deserializes untrusted data in ObjectInputStream.readObject as part of reborncore.common.network.ExtendedPacketBuffer. An attacker can instantiate any class on the classpath with any data. A class usable for exploitation might or might not be present, depending on what Minecraft modifications are installed. | ||||
| CVE-2021-33728 | 1 Siemens | 1 Sinec Nms | 2024-11-21 | 7.2 High |
| A vulnerability has been identified in SINEC NMS (All versions < V1.0 SP2 Update 1). The affected system allows to upload JSON objects that are deserialized to JAVA objects. Due to insecure deserialization of user-supplied content by the affected software, a privileged attacker could exploit this vulnerability by sending a crafted serialized Java object. An exploit could allow the attacker to execute arbitrary code on the device with root privileges. | ||||
| CVE-2021-33207 | 1 Softwareag | 1 Mashzone Nextgen | 2024-11-21 | 9.8 Critical |
| The HTTP client in MashZone NextGen through 10.7 GA deserializes untrusted data when it gets an HTTP response with a 570 status code. | ||||
| CVE-2021-33176 | 1 Octavolabs | 1 Vernemq | 2024-11-21 | 7.5 High |
| VerneMQ MQTT Broker versions prior to 1.12.0 are vulnerable to a denial of service attack as a result of excessive memory consumption due to the handling of untrusted inputs. These inputs cause the message broker to consume large amounts of memory, resulting in the application being terminated by the operating system. | ||||
| CVE-2021-33175 | 1 Emqx | 1 Emq X Broker | 2024-11-21 | 7.5 High |
| EMQ X Broker versions prior to 4.2.8 are vulnerable to a denial of service attack as a result of excessive memory consumption due to the handling of untrusted inputs. These inputs cause the message broker to consume large amounts of memory, resulting in the application being terminated by the operating system. | ||||
| CVE-2021-33036 | 1 Apache | 1 Hadoop | 2024-11-21 | 8.8 High |
| In Apache Hadoop 2.2.0 to 2.10.1, 3.0.0-alpha1 to 3.1.4, 3.2.0 to 3.2.2, and 3.3.0 to 3.3.1, a user who can escalate to yarn user can possibly run arbitrary commands as root user. Users should upgrade to Apache Hadoop 2.10.2, 3.2.3, 3.3.2 or higher. | ||||