Total
2053 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2020-27131 | 1 Cisco | 1 Security Manager | 2024-11-21 | 8.1 High |
| Multiple vulnerabilities in the Java deserialization function that is used by Cisco Security Manager could allow an unauthenticated, remote attacker to execute arbitrary commands on an affected device. These vulnerabilities are due to insecure deserialization of user-supplied content by the affected software. An attacker could exploit these vulnerabilities by sending a malicious serialized Java object to a specific listener on an affected system. A successful exploit could allow the attacker to execute arbitrary commands on the device with the privileges of NT AUTHORITY\SYSTEM on the Windows target host. Cisco has not released software updates that address these vulnerabilities. | ||||
| CVE-2020-26945 | 2 Mybatis, Redhat | 2 Mybatis, Jboss Fuse | 2024-11-21 | 8.1 High |
| MyBatis before 3.5.6 mishandles deserialization of object streams. | ||||
| CVE-2020-26867 | 1 Pcvuesolutions | 1 Pcvue | 2024-11-21 | 9.8 Critical |
| ARC Informatique PcVue prior to version 12.0.17 is vulnerable due to the deserialization of untrusted data, which may allow an attacker to remotely execute arbitrary code on the web and mobile back-end server. | ||||
| CVE-2020-26207 | 1 Databaseschemareader Project | 1 Dbschemareader | 2024-11-21 | 8 High |
| DatabaseSchemaViewer before version 2.7.4.3 is vulnerable to arbitrary code execution if a user is tricked into opening a specially crafted `.dbschema` file. The patch was released in v2.7.4.3. As a workaround, ensure `.dbschema` files from untrusted sources are not opened. | ||||
| CVE-2020-26165 | 1 Qdpm | 1 Qdpm | 2024-11-21 | 8.8 High |
| qdPM through 9.1 allows PHP Object Injection via timeReportActions::executeExport in core/apps/qdPM/modules/timeReport/actions/actions.class.php because unserialize is used. | ||||
| CVE-2020-26118 | 1 Smartbear | 1 Collaborator | 2024-11-21 | 8.8 High |
| In SmartBear Collaborator Server through 13.3.13302, use of the Google Web Toolkit (GWT) API introduces a post-authentication Java deserialization vulnerability. The application's UpdateMemento class accepts a serialized Java object directly from the user without properly sanitizing it. A malicious object can be submitted to the server via an authenticated attacker to execute commands on the underlying system. | ||||
| CVE-2020-25260 | 1 Hyland | 1 Onbase | 2024-11-21 | 9.8 Critical |
| An issue was discovered in Hyland OnBase 16.0.2.83 and below, 17.0.2.109 and below, 18.0.0.37 and below, 19.8.16.1000 and below and 20.3.10.1000 and below. It allows remote attackers to execute arbitrary code because of unsafe JSON deserialization. | ||||
| CVE-2020-25259 | 1 Hyland | 1 Onbase | 2024-11-21 | 9.8 Critical |
| An issue was discovered in Hyland OnBase 16.0.2.83 and below, 17.0.2.109 and below, 18.0.0.37 and below, 19.8.16.1000 and below and 20.3.10.1000 and below. It uses XML deserialization libraries in an unsafe manner. | ||||
| CVE-2020-25258 | 1 Hyland | 1 Onbase | 2024-11-21 | 9.8 Critical |
| An issue was discovered in Hyland OnBase 16.0.2.83 and below, 17.0.2.109 and below, 18.0.0.37 and below, 19.8.16.1000 and below and 20.3.10.1000 and below. It uses ASP.NET BinaryFormatter.Deserialize in a manner that allows attackers to transmit and execute bytecode in SOAP messages. | ||||
| CVE-2020-24914 | 1 Qcubed | 1 Qcubed | 2024-11-21 | 9.8 Critical |
| A PHP object injection bug in profile.php in qcubed (all versions including 3.1.1) unserializes the untrusted data of the POST-variable "strProfileData" and allows an unauthenticated attacker to execute code via a crafted POST request. | ||||
| CVE-2020-24750 | 4 Debian, Fasterxml, Oracle and 1 more | 29 Debian Linux, Jackson-databind, Agile Plm and 26 more | 2024-11-21 | 8.1 High |
| FasterXML jackson-databind 2.x before 2.9.10.6 mishandles the interaction between serialization gadgets and typing, related to com.pastdev.httpcomponents.configuration.JndiConfiguration. | ||||
| CVE-2020-24648 | 1 Hp | 1 Intelligent Management Center | 2024-11-21 | 9.8 Critical |
| A accessmgrservlet classname deserialization of untrusted data remote code execution vulnerability was discovered in HPE Intelligent Management Center (iMC) version(s): Prior to iMC PLAT 7.3 (E0705P07). | ||||
| CVE-2020-24639 | 1 Arubanetworks | 1 Airwave Glass | 2024-11-21 | 9.8 Critical |
| There is a vulnerability caused by unsafe Java deserialization that allows for arbitrary command execution in a containerized environment within Airwave Glass before 1.3.3. Successful exploitation can lead to complete compromise of the underlying host operating system. | ||||
| CVE-2020-24616 | 4 Debian, Fasterxml, Netapp and 1 more | 25 Debian Linux, Jackson-databind, Active Iq Unified Manager and 22 more | 2024-11-21 | 8.1 High |
| FasterXML jackson-databind 2.x before 2.9.10.6 mishandles the interaction between serialization gadgets and typing, related to br.com.anteros.dbcp.AnterosDBCPDataSource (aka Anteros-DBCP). | ||||
| CVE-2020-24164 | 1 Taoensso | 1 Nippy | 2024-11-21 | 7.8 High |
| A deserialization flaw is present in Taoensso Nippy before 2.14.2. In some circumstances, it is possible for an attacker to create a malicious payload that, when deserialized, will allow arbitrary code to be executed. This occurs because there is automatic use of the Java Serializable interface. | ||||
| CVE-2020-24036 | 1 Fork-cms | 1 Fork Cms | 2024-11-21 | 8.8 High |
| PHP object injection in the Ajax endpoint of the backend in ForkCMS below version 5.8.3 allows an authenticated remote user to execute malicious code. | ||||
| CVE-2020-24034 | 1 Sagemcom | 2 F\@st 5280 Router, F\@st 5280 Router Firmware | 2024-11-21 | 8.8 High |
| Sagemcom F@ST 5280 routers using firmware version 1.150.61 have insecure deserialization that allows any authenticated user to perform a privilege escalation to any other user. By making a request with valid sess_id, nonce, and ha1 values inside of the serialized session cookie, an attacker may alter the user value inside of this cookie, and assume the role and permissions of the user specified. By assuming the role of the user internal, which is inaccessible to end users by default, the attacker gains the permissions of the internal account, which includes the ability to flash custom firmware to the router, allowing the attacker to achieve a complete compromise. | ||||
| CVE-2020-23653 | 1 Thinkadmin | 1 Thinkadmin | 2024-11-21 | 9.8 Critical |
| An insecure unserialize vulnerability was discovered in ThinkAdmin versions 4.x through 6.x in app/admin/controller/api/Update.php and app/wechat/controller/api/Push.php, which may lead to arbitrary remote code execution. | ||||
| CVE-2020-23621 | 1 Squire-technologies | 1 Svi Ms Management System | 2024-11-21 | 9.8 Critical |
| The Java Remote Management Interface of all versions of SVI MS Management System was discovered to contain a vulnerability due to insecure deserialization of user-supplied content, which can allow attackers to execute arbitrary code via a crafted serialized Java object. | ||||
| CVE-2020-23620 | 1 Orlansoft | 1 Orlansoft Erp | 2024-11-21 | 9.8 Critical |
| The Java Remote Management Interface of all versions of Orlansoft ERP was discovered to contain a vulnerability due to insecure deserialization of user-supplied content, which can allow attackers to execute arbitrary code via a crafted serialized Java object. | ||||