CVE-2019-9373

In JobStore, there is a mismatched serialization/deserialization for the "battery-not-low" job attribute. This could lead to a local denial of service with no additional execution privileges needed. User interaction is not needed for exploitation. Product: AndroidVersions: Android-10Android ID:...

CVE-2019-9373

Technical details about CVE-2019-9373 are not provided in the supplied documents. Monitor for updates from official advisories; no specific affected products, payloads, or mitigations are disclosed here.

inoERP 4.15 - 'download' SQL Injection

Exploit Title: inoERP 4.15 - 'download' SQL Injection Date: 2019-09-13 Exploit Author: Semen Alexandrovich Lyhin Vendor Homepage: http://inoideas.org/ Version: 4.15 CVE: N/A A malicious query can be sent in base64 encoding to unserialize function. It can be deserialized without any sanitization...

EulerOS 2.0 SP3 : libxml2 (EulerOS-SA-2019-2013)

According to the versions of the libxml2 packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - libxml2 in Apple iOS before 10, OS X before 10.12, tvOS before 10, and watchOS before 3 allows remote attackers to execute arbitrary code or...

Remote Code Execution

tapestry-core is vulnerable to remote code execution. Access to the classpath asset files is not restricted, allowing an attacker to guess the path to a known file in the classpath and retrieve the contents. It can also potentially allow the attacker to perform a Java serialization attack if the...

EulerOS 2.0 SP2 : libxml2 (EulerOS-SA-2019-1858)

According to the versions of the libxml2 packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - libxml2 in Apple iOS before 10, OS X before 10.12, tvOS before 10, and watchOS before 3 allows remote attackers to execute arbitrary code or...

Deserialization of untrusted data

The java.io.ObjectInputStream is known to cause Java serialisation issues. This issue here is exposed by the "webtools/control/httpService" URL, and uses Java deserialization to perform code execution. In the HttpEngine, the value of the request parameter "serviceContext" is passed to the...

CVE-2019-15542

An issue was discovered in the ammonia crate before 2.1.0 for Rust. There is uncontrolled recursion during HTML DOM tree serialization...

CVE-2019-15542

An issue was discovered in the ammonia crate before 2.1.0 for Rust. There is uncontrolled recursion during HTML DOM tree serialization...

CVE-2019-15542

An issue was discovered in the ammonia crate before 2.1.0 for Rust. There is uncontrolled recursion during HTML DOM tree serialization...

CVE-2019-15542

An issue in the ammonia crate for Rust (before 2.1.0) causes uncontrolled recursion during HTML DOM tree serialization in the affected component. The documents provide the vulnerability description but do not specify exploit vectors, practical impact beyond potential recursion, or concrete remedi...

NewStart CGSL MAIN 4.05 : java-1.8.0-openjdk Multiple Vulnerabilities (NS-SA-2019-0119)

The remote NewStart CGSL host, running version MAIN 4.05, has java-1.8.0-openjdk packages installed that are affected by multiple vulnerabilities: - Vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE subcomponent: JAXP. Supported versions that are affected are Java SE:...

xstream code injection vulnerability

xstream is an open source Java class library , it can serialize objects into XML or deserialize XML into objects . . A code injection vulnerability exists in xstream. The vulnerability stems from a network system or product that does not properly filter special elements of externally entered data...

jackson-databind: Potential information exfiltration with default typing, serialization gadget from MyBatis

A vulnerability was discovered in jackson-databind where it would permit deserialization of a malicious object using MyBatis classes when using DefaultTyping. An attacker could use this flaw to achieve content exfiltration and possibly conduct further attacks...

WebERP 4.15 - SQL injection Exploit

Exploit for php platform in category web applications Exploit Title: Blind SQL injection in WebERP. Exploit Author: Semen Alexandrovich Lyhin https://www.linkedin.com/in/semenlyhin/ Vendor Homepage: http://www.weberp.org/ Version: 4.15 A malicious query can be sent in base64 encoding to unseriali...

Remote code execution

Sitecore Experience Platform XP prior to 9.1.1 is vulnerable to remote code execution via deserialization, aka TFS 293863. An authenticated user with necessary permissions is able to remotely execute OS commands by sending a crafted serialized object...

IBM Websphere Application Server Remote Code Execution

This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'IBM Websphere Application Server Network Deployment Untrusted Data Deserialization Remote Code Execution', 'Description' = % This module exploits...

The original Java deserialization remote execution vulnerabilities so simple-vulnerability warning-the black bar safety net

Here we for Java deserialization issue caused remote code execution vulnerability principles are introduced. In order to simplify the description,without introducing a 3rd party library under the premise of the Operation, HOPE can serve to initiate the effect. There are 3 main parts: The Java...

PT-2019-17012 · Ibm · Ibm Websphere Application Server

Name of the Vulnerable Software and Affected Versions: IBM WebSphere Application Server versions 8.5 through 9.0 Description: The issue allows a remote attacker to execute arbitrary code on the system with a specially-crafted sequence of serialized objects from untrusted sources. Recommendations:...

CVE-2019-10912

In Symfony before 2.8.50, 3.x before 3.4.26, 4.x before 4.1.12, and 4.2.x before 4.2.7, it is possible to cache objects that may contain bad user input. On serialization or unserialization, this could result in the deletion of files that the current user has access to. This is related to...