768 matches found
CVE-2020-4280
IBM QRadar SIEM 7.3 and 7.4 could allow a remote attacker to execute arbitrary commands on the system, caused by insecure deserialization of user-supplied content by the Java deserialization function. By sending a malicious serialized Java object, an attacker could exploit this vulnerability to...
EUVD-2020-25527
IBM QRadar SIEM 7.3 and 7.4 could allow a remote attacker to execute arbitrary commands on the system, caused by insecure deserialization of user-supplied content by the Java deserialization function. By sending a malicious serialized Java object, an attacker could exploit this vulnerability to...
QIWI: MobileIron Unauthenticated RCE on mdm.qiwi.com with WAF bypass
Last week, details about 3 CVEs affecting MobileIron MDM product were disclosed. When combined, an attacker can achieve unauthenticated remote code execution with arbitrary Java deserialization vector : - CVE-2020-15505 - Remote Code Execution - CVE-2020-15506 - Authentication Bypass -...
Exploit for Deserialization of Untrusted Data in Redhat Data_Grid
This is a collection of Java deserialization exploits, specifically targeting various Java applications. The exploits are designed to bypass Java's deserialization security features and execute arbitrary code on the target system. The exploits are implemented in Python and use the ysoserial libra...
Security Bulletin: Vulnerability in Apache Commons affects Rational Software Architect, Rational Software Architect for WebSphere Software and Rational Software Architect RealTime (CVE-2015-7450)
Summary An Apache Commons Collections vulnerability for handling Java object deserialization was addressed by Rational Software Architect, Rational Software Architect for WebSphere Software and Rational Software Architect RealTime. Vulnerability Details CVEID: CVE-2015-7450 DESCRIPTION: Apache...
Apache OFBiz XML-RPC Java Deserialization Exploit
This Metasploit module exploits a Java deserialization vulnerability in Apache OFBiz's unauthenticated XML-RPC endpoint /webtools/control/xmlrpc for versions prior to 17.12.04. This module requires Metasploit: https://metasploit.com/download Current source:...
Apache OFBiz XML-RPC Java Deserialization
This module exploits a Java deserialization vulnerability in Apache OFBiz's unauthenticated XML-RPC endpoint /webtools/control/xmlrpc for versions prior to 17.12.04. Module Options msf use exploit/linux/http/apacheofbizdeserialiation msf exploitapacheofbizdeserialiation show targets ...targets...
CVE-2020-5413 Kryo Configuration Allows Code Execution with Unknown "Serialization Gadgets"
Spring Integration framework provides Kryo Codec implementations as an alternative for Java deserialization. When Kryo is configured with default options, all unregistered classes are resolved on demand. This leads to the "deserialization gadgets" exploit when provided data contains malicious cod...
Liferay Portal <= 7.1.3, 7.2.x <= 7.2.1 Multiple Vulnerabilities
Liferay Portal is prone to multiple vulnerabilities. SPDX-FileCopyrightText: 2020 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only CPE = "cpe:/a:liferay:liferayportal"; if...
Exploit for Path Traversal in F5 Big-Ip_Access_Policy_Manager
CVE-2020-5902 BIG-IP RCE Update...
Inductive Automation Ignition - Remote Code Execution
This Metasploit module exploits a Java deserialization vulnerability in the Inductive Automation Ignition SCADA... This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Inductive Automation Ignition...
Inductive Automation Ignition Remote Code Execution Exploit
This Metasploit module exploits a Java deserialization vulnerability in the Inductive Automation Ignition SCADA product, versions 8.0.0 to and including 8.0.7. This exploit was tested on versions 8.0.0 and 8.0.7 on both Linux and Windows. The default configuration is exploitable by an...
Inductive Automation Ignition Remote Code Execution
This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Inductive Automation Ignition Remote Code Execution', 'Description' = %q This module exploits a Java deserialization vulnerability in the Inducti...
Exploit for CVE-2020-2551
CVE-2020-2551 Weblogic IIOP 反序列化 测试环境 Weblogic10.3.6+jdk1.6 打包好的jar包 提取码:a6ob 漏洞利用 下载jar包,然后使用marshalsec起一个恶意的RMI服务,本地编译一个exp.java java package payload; import java.io.IOException; public class exp public exp String cmd = "curl http://172.16.1.1/success"; try...
CVE-2020-11972
A flaw was found in camel up to versions 2.25.1 and 3.x. Apache Camel RabbitMQ enables java deserialization, by default, without any means of disabling which can lead to arbitrary code being executed. The highest threat from this vulnerability is to data confidentiality and integrity as well as...
CVE-2020-11973
A flaw was found in camel. Apache Camel RabbitMQ enables java deserialization, by default, without any means of disabling which can lead to arbitrary code being executed. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability. Mitigation...
Inductive Automation Ignition Remote Code Execution
This module exploits a Java deserialization vulnerability in the Inductive Automation Ignition SCADA product, versions 8.0.0 to and including 8.0.7. This exploit was tested on versions 8.0.0 and 8.0.7 on both Linux and Windows. The default configuration is exploitable by an unauthenticated...
JAVA Deserialization Remote Command Execution Vulnerability in UFIDA NC
UFIDA NC products are world-class high-end management software for group enterprises, with a market share that has reached the first in Asia Pacific among similar products, and have been applied in 8,000 group enterprises, with domestic users covering most critical infrastructure operating units....
Apache Camel Netty enables Java deserialization by default
Apache Camel Netty enables Java deserialization by default. Apache Camel 2.22.x, 2.23.x, 2.24.x, 2.25.0, 3.0.0 up to 3.1.0 are affected. 2.x users should upgrade to 2.25.1, 3.x users should upgrade to 3.2.0...
GHSA-H79P-32MX-FJJ9 Apache Camel Netty enables Java deserialization by default
Apache Camel Netty enables Java deserialization by default. Apache Camel 2.22.x, 2.23.x, 2.24.x, 2.25.0, 3.0.0 up to 3.1.0 are affected. 2.x users should upgrade to 2.25.1, 3.x users should upgrade to 3.2.0...