Total
1983 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-1077 | 2025-02-07 | N/A | N/A | ||
| A security vulnerability has been identified in the IBL Software Engineering Visual Weather and derived products (NAMIS, Aero Weather, Satellite Weather). The vulnerability is present in the Product Delivery Service (PDS) component in specific server configurations where the PDS pipeline utilizes the IPDS pipeline with Message Editor Output Filters enabled. A remote unauthenticated attacker can exploit this vulnerability to send unauthenticated requests to execute the IPDS pipeline with specially crafted Form Properties, enabling remote execution of arbitrary Python code. This vulnerability could lead to a full system compromise of the affected server, particularly if Visual Weather services are run under a privileged user account—contrary to the documented installation best practices. Upgrade to the patched versions 7.3.10 (or higher), 8.6.0 (or higher). | |||||
| CVE-2024-4157 | 1 Fluentforms | 1 Contact Form | 2025-02-06 | N/A | 7.5 HIGH |
| The Contact Form Plugin by Fluent Forms for Quiz, Survey, and Drag & Drop WP Form Builder plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 5.1.15 via deserialization of untrusted input in the extractDynamicValues function. This makes it possible for authenticated attackers, with contributor-level access and above, to inject a PHP Object. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code. Successful exploitation requires the attacker to have "View Form" and "Manage Form" permissions, which must be explicitly set by an administrator. However, this requirement can be bypassed when this vulnerability is chained with CVE-2024-2771. | |||||
| CVE-2024-25117 | 2 Dompdf, Php | 2 Php-svg-lib, Php | 2025-02-05 | N/A | 6.8 MEDIUM |
| php-svg-lib is a scalable vector graphics (SVG) file parsing/rendering library. Prior to version 0.5.2, php-svg-lib fails to validate that font-family doesn't contain a PHAR url, which might leads to RCE on PHP < 8.0, and doesn't validate if external references are allowed. This might leads to bypass of restrictions or RCE on projects that are using it, if they do not strictly revalidate the fontName that is passed by php-svg-lib. The `Style::fromAttributes(`), or the `Style::parseCssStyle()` should check the content of the `font-family` and prevents it to use a PHAR url, to avoid passing an invalid and dangerous `fontName` value to other libraries. The same check as done in the `Style::fromStyleSheets` might be reused. Libraries using this library as a dependency might be vulnerable to some bypass of restrictions, or even remote code execution, if they do not double check the value of the `fontName` that is passed by php-svg-lib. Version 0.5.2 contains a fix for this issue. | |||||
| CVE-2024-10936 | 1 Instawp | 1 String Locator | 2025-02-05 | N/A | 8.8 HIGH |
| The String locator plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 2.6.6 via deserialization of untrusted input in the 'recursive_unserialize_replace' function. This makes it possible for unauthenticated attackers to inject a PHP Object. No known POP chain is present in the vulnerable software. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code. An administrator must perform a search and replace action to trigger the exploit. | |||||
| CVE-2023-20864 | 1 Vmware | 2 Aria Operations For Logs, Cloud Foundation | 2025-02-05 | N/A | 9.8 CRITICAL |
| VMware Aria Operations for Logs contains a deserialization vulnerability. An unauthenticated, malicious actor with network access to VMware Aria Operations for Logs may be able to execute arbitrary code as root. | |||||
| CVE-2024-54367 | 1 Ultimatemember | 1 Forumwp | 2025-02-05 | N/A | 9.8 CRITICAL |
| Deserialization of Untrusted Data vulnerability in ForumWP ForumWP allows Object Injection.This issue affects ForumWP: from n/a through 2.1.0. | |||||
| CVE-2023-1347 | 1 Fastlinemedia | 1 Customizer Export\/import | 2025-02-04 | N/A | 7.2 HIGH |
| The Customizer Export/Import WordPress plugin before 0.9.6 unserializes user input provided via the settings, which could allow high privilege users such as admin to perform PHP Object Injection when a suitable gadget is present | |||||
| CVE-2021-26857 | 1 Microsoft | 1 Exchange Server | 2025-02-04 | 6.8 MEDIUM | 7.8 HIGH |
| Microsoft Exchange Server Remote Code Execution Vulnerability | |||||
| CVE-2024-22460 | 1 Dell | 2 Dm5500, Dm5500 Firmware | 2025-02-04 | N/A | 2.2 LOW |
| Dell PowerProtect DM5500 version 5.15.0.0 and prior contains an insecure deserialization Vulnerability. A remote attacker with high privileges could potentially exploit this vulnerability, leading to arbitrary code execution on the vulnerable application. | |||||
| CVE-2024-37060 | 1 Lfprojects | 1 Mlflow | 2025-02-03 | N/A | 8.8 HIGH |
| Deserialization of untrusted data can occur in versions of the MLflow platform running version 1.27.0 or newer, enabling a maliciously crafted Recipe to execute arbitrary code on an end user’s system when run. | |||||
| CVE-2024-37059 | 1 Lfprojects | 1 Mlflow | 2025-02-03 | N/A | 8.8 HIGH |
| Deserialization of untrusted data can occur in versions of the MLflow platform running version 0.5.0 or newer, enabling a maliciously uploaded PyTorch model to run arbitrary code on an end user’s system when interacted with. | |||||
| CVE-2024-37058 | 1 Lfprojects | 1 Mlflow | 2025-02-03 | N/A | 8.8 HIGH |
| Deserialization of untrusted data can occur in versions of the MLflow platform running version 2.5.0 or newer, enabling a maliciously uploaded Langchain AgentExecutor model to run arbitrary code on an end user’s system when interacted with. | |||||
| CVE-2024-37057 | 1 Lfprojects | 1 Mlflow | 2025-02-03 | N/A | 8.8 HIGH |
| Deserialization of untrusted data can occur in versions of the MLflow platform running version 2.0.0rc0 or newer, enabling a maliciously uploaded Tensorflow model to run arbitrary code on an end user’s system when interacted with. | |||||
| CVE-2024-37056 | 1 Lfprojects | 1 Mlflow | 2025-02-03 | N/A | 8.8 HIGH |
| Deserialization of untrusted data can occur in versions of the MLflow platform running version 1.23.0 or newer, enabling a maliciously uploaded LightGBM scikit-learn model to run arbitrary code on an end user’s system when interacted with. | |||||
| CVE-2024-37055 | 1 Lfprojects | 1 Mlflow | 2025-02-03 | N/A | 8.8 HIGH |
| Deserialization of untrusted data can occur in versions of the MLflow platform running version 1.24.0 or newer, enabling a maliciously uploaded pmdarima model to run arbitrary code on an end user’s system when interacted with. | |||||
| CVE-2024-37054 | 1 Lfprojects | 1 Mlflow | 2025-02-03 | N/A | 8.8 HIGH |
| Deserialization of untrusted data can occur in versions of the MLflow platform running version 0.9.0 or newer, enabling a maliciously uploaded PyFunc model to run arbitrary code on an end user’s system when interacted with. | |||||
| CVE-2024-37053 | 1 Lfprojects | 1 Mlflow | 2025-02-03 | N/A | 8.8 HIGH |
| Deserialization of untrusted data can occur in versions of the MLflow platform running version 1.1.0 or newer, enabling a maliciously uploaded scikit-learn model to run arbitrary code on an end user’s system when interacted with. | |||||
| CVE-2024-37052 | 1 Lfprojects | 1 Mlflow | 2025-02-03 | N/A | 8.8 HIGH |
| Deserialization of untrusted data can occur in versions of the MLflow platform running version 1.1.0 or newer, enabling a maliciously uploaded scikit-learn model to run arbitrary code on an end user’s system when interacted with. | |||||
| CVE-2025-0974 | 2025-02-03 | 4.6 MEDIUM | 5.0 MEDIUM | ||
| A vulnerability, which was classified as critical, has been found in MaxD Lightning Module 4.43 on OpenCart. This issue affects some unknown processing. The manipulation of the argument li_op/md leads to deserialization. The attack may be initiated remotely. The complexity of an attack is rather high. The exploitation is known to be difficult. The exploit has been disclosed to the public and may be used. | |||||
| CVE-2024-1813 | 1 Presstigers | 1 Simple Job Board | 2025-01-31 | N/A | 9.8 CRITICAL |
| The Simple Job Board plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 2.11.0 via deserialization of untrusted input in the job_board_applicant_list_columns_value function. This makes it possible for unauthenticated attackers to inject a PHP Object. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code when a submitted job application is viewed. | |||||