Total
1830 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2021-23420 | 1 Codeception | 1 Codeception | 2024-11-21 | 10.0 HIGH | 7.7 HIGH |
| This affects the package codeception/codeception from 4.0.0 and before 4.1.22, before 3.1.3. The RunProcess class can be leveraged as a gadget to run arbitrary commands on a system that is deserializing user input without validation. | |||||
| CVE-2021-23338 | 1 Microsoft | 1 Qlib | 2024-11-21 | 6.5 MEDIUM | 6.6 MEDIUM |
| This affects all versions of package qlib. The workflow function in cli part of qlib was using an unsafe YAML load function. | |||||
| CVE-2021-22855 | 1 Hr Portal Project | 1 Hr Portal | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| The specific function of HR Portal of Soar Cloud System accepts any type of object to be deserialized. Attackers can send malicious serialized objects to execute arbitrary commands. | |||||
| CVE-2021-22777 | 1 Schneider-electric | 1 Sosafe Configurable | 2024-11-21 | 6.8 MEDIUM | 7.8 HIGH |
| A CWE-502: Deserialization of Untrusted Data vulnerability exists that could cause code execution by opening a malicious project file. | |||||
| CVE-2021-22439 | 1 Huawei | 1 Anyoffice | 2024-11-21 | 9.3 HIGH | 8.1 HIGH |
| There is a deserialization vulnerability in Huawei AnyOffice V200R006C10. An attacker can construct a specific request to exploit this vulnerability. Successfully exploiting this vulnerability, the attacker can execute remote malicious code injection and to control the device. | |||||
| CVE-2021-22097 | 1 Vmware | 1 Spring Advanced Message Queuing Protocol | 2024-11-21 | 6.8 MEDIUM | 6.5 MEDIUM |
| In Spring AMQP versions 2.2.0 - 2.2.18 and 2.3.0 - 2.3.10, the Spring AMQP Message object, in its toString() method, will deserialize a body for a message with content type application/x-java-serialized-object. It is possible to construct a malicious java.util.Dictionary object that can cause 100% CPU usage in the application if the toString() method is called. | |||||
| CVE-2021-22095 | 1 Vmware | 1 Spring Advanced Message Queuing Protocol | 2024-11-21 | 4.0 MEDIUM | 6.5 MEDIUM |
| In Spring AMQP versions 2.2.0 - 2.2.19 and 2.3.0 - 2.3.11, the Spring AMQP Message object, in its toString() method, will create a new String object from the message body, regardless of its size. This can cause an OOM Error with a large message | |||||
| CVE-2021-21956 | 1 Cloudlinux | 1 Imunify360 | 2024-11-21 | 9.3 HIGH | 7.8 HIGH |
| A php unserialize vulnerability exists in the Ai-Bolit functionality of CloudLinux Inc Imunify360 5.10.2. A specially-crafted malformed file can lead to potential arbitrary command execution. An attacker can provide a malicious file to trigger this vulnerability. | |||||
| CVE-2021-21869 | 1 Codesys | 1 Codesys | 2024-11-21 | 6.8 MEDIUM | 7.8 HIGH |
| An unsafe deserialization vulnerability exists in the Engine.plugin ProfileInformation ProfileData functionality of CODESYS GmbH CODESYS Development System 3.5.16 and 3.5.17. A specially crafted file can lead to arbitrary command execution. An attacker can provide a malicious file to trigger this vulnerability. | |||||
| CVE-2021-21868 | 1 Codesys | 1 Codesys | 2024-11-21 | 6.8 MEDIUM | 7.8 HIGH |
| An unsafe deserialization vulnerability exists in the ObjectManager.plugin Project.get_MissingTypes() functionality of CODESYS GmbH CODESYS Development System 3.5.16 and 3.5.17. A specially crafted file can lead to arbitrary command execution. An attacker can provide a malicious file to trigger this vulnerability. | |||||
| CVE-2021-21867 | 1 Codesys | 1 Codesys | 2024-11-21 | 6.8 MEDIUM | 7.8 HIGH |
| An unsafe deserialization vulnerability exists in the ObjectManager.plugin ObjectStream.ProfileByteArray functionality of CODESYS GmbH CODESYS Development System 3.5.16 and 3.5.17. A specially crafted file can lead to arbitrary command execution. An attacker can provide a malicious file to trigger this vulnerability. | |||||
| CVE-2021-21866 | 1 Codesys | 1 Development System | 2024-11-21 | 6.8 MEDIUM | 7.8 HIGH |
| A unsafe deserialization vulnerability exists in the ObjectManager.plugin ProfileInformation.ProfileData functionality of CODESYS GmbH CODESYS Development System 3.5.16 and 3.5.17. A specially crafted file can lead to arbitrary command execution. An attacker can provide a malicious file to trigger this vulnerability. | |||||
| CVE-2021-21865 | 1 Codesys | 1 Development System | 2024-11-21 | 6.8 MEDIUM | 7.8 HIGH |
| A unsafe deserialization vulnerability exists in the PackageManagement.plugin ExtensionMethods.Clone() functionality of CODESYS GmbH CODESYS Development System 3.5.16. A specially crafted file can lead to arbitrary command execution. An attacker can provide a malicious file to trigger this vulnerability. | |||||
| CVE-2021-21864 | 1 Codesys | 1 Development System | 2024-11-21 | 6.8 MEDIUM | 7.8 HIGH |
| A unsafe deserialization vulnerability exists in the ComponentModel ComponentManager.StartupCultureSettings functionality of CODESYS GmbH CODESYS Development System 3.5.16 and 3.5.17. A specially crafted file can lead to arbitrary command execution. An attacker can provide a malicious file to trigger this vulnerability. | |||||
| CVE-2021-21863 | 1 Codesys | 1 Development System | 2024-11-21 | 6.8 MEDIUM | 7.8 HIGH |
| A unsafe deserialization vulnerability exists in the ComponentModel Profile.FromFile() functionality of CODESYS GmbH CODESYS Development System 3.5.16 and 3.5.17. A specially crafted file can lead to arbitrary command execution. An attacker can provide a malicious file to trigger this vulnerability. | |||||
| CVE-2021-21741 | 1 Zte | 2 Zxv10 M910, Zxv10 M910 Firmware | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| There is a command execution vulnerability in a ZTE conference management system. As some services are enabled by default, the attacker could exploit this vulnerability to execute arbitrary commands by sending specific serialization command. | |||||
| CVE-2021-21677 | 1 Jenkins | 1 Code Coverage Api | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
| Jenkins Code Coverage API Plugin 1.4.0 and earlier does not apply Jenkins JEP-200 deserialization protection to Java objects it deserializes from disk, resulting in a remote code execution vulnerability. | |||||
| CVE-2021-21604 | 1 Jenkins | 1 Jenkins | 2024-11-21 | 6.0 MEDIUM | 8.0 HIGH |
| Jenkins 2.274 and earlier, LTS 2.263.1 and earlier allows attackers with permission to create or configure various objects to inject crafted content into Old Data Monitor that results in the instantiation of potentially unsafe objects once discarded by an administrator. | |||||
| CVE-2021-21524 | 1 Dell | 2 Storage Monitoring And Reporting, Storage Resource Manager | 2024-11-21 | 10.0 HIGH | 9.8 CRITICAL |
| Dell SRM versions prior to 4.5.0.1 and Dell SMR versions prior to 4.5.0.1 contain an Untrusted Deserialization Vulnerability. A remote unauthenticated attacker may potentially exploit this vulnerability, leading to arbitrary privileged code execution on the vulnerable application. The severity is Critical as this may lead to system compromise by unauthenticated attackers. | |||||
| CVE-2021-21488 | 1 Sap | 1 Netweaver Knowledge Management | 2024-11-21 | 4.0 MEDIUM | 6.5 MEDIUM |
| Knowledge Management versions 7.01, 7.02, 7.30, 7.31, 7.40, 7.50 allows a remote attacker with basic privileges to deserialize user-controlled data without verification, leading to insecure deserialization which triggers the attacker’s code, therefore impacting Availability. | |||||