PT-2019-19909 · Sitecore · Sitecore

Name of the Vulnerable Software and Affected Versions: Sitecore versions prior to 9.1 Description: The issue allows an authenticated attacker to execute arbitrary code by sending a serialized .NET object in an HTTP POST parameter, due to the deserialization of untrusted data in the anti CSRF...

Oracle Weblogic Server Deserialization MarshalledObject Remote Code Execution Exploit

An unauthenticated attacker with network access to the Oracle Weblogic Server T3 interface can send a serialized object weblogic.corba.utils.MarshalledObject to the interface to execute code on vulnerable hosts. This module requires Metasploit: https://metasploit.com/download Current source:...

Oracle Weblogic Server Deserialization Remote Code Execution

This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework require 'msf/core/exploit/powershell' class MetasploitModule 'Oracle Weblogic Server Deserialization RCE - Raw Object', 'Description' = %q An unauthenticated attacker wi...

Oracle Weblogic Server Deserialization Remote Code Execution Exploit

This Metasploit module demonstrates that an unauthenticated attacker with network access to the Oracle Weblogic Server T3 interface can send a serialized object weblogic.jms.common.StreamMessag eImpl to the interface to execute code on vulnerable hosts. This module requires Metasploit:...

Security Bulletin: Potential Remote code execution vulnerability in WebSphere Application Server (CVE-2018-1904)

Summary There is a potential remote code execution vulnerability in WebSphere Application Server CVE-2018-1904 Vulnerability Details CVEID: CVE-2018-1904 DESCRIPTION: IBM WebSphere Application Server could allow remote attackers to execute arbitrary Java code through an administrative client clas...

GHSA-PFWP-8PQ4-G7PV Incomplete List of Disallowed Inputs in SOFA-Hessian

SOFA-Hessian through 4.0.2 allows remote attackers to execute arbitrary commands via a crafted serialized Hessian object because blacklisting of com.caucho.naming.QName and com.sun.org.apache.xpath.internal.objects.XString is mishandled, related to Resin Gadget...

CVE-2019-9212

SOFA-Hessian through 4.0.2 allows remote attackers to execute arbitrary commands via a crafted serialized Hessian object because blacklisting of com.caucho.naming.QName and com.sun.org.apache.xpath.internal.objects.XString is mishandled, related to Resin Gadget. NOTE: The vendor doesn’t consider...

CVE-2019-9212

SOFA-Hessian through 4.0.2 allows remote attackers to execute arbitrary commands via a crafted serialized Hessian object because blacklisting of com.caucho.naming.QName and com.sun.org.apache.xpath.internal.objects.XString is mishandled, related to Resin Gadget. NOTE: The vendor doesn’t consider...

CVE-2019-9212

SOFA-Hessian (CVE-2019-9212) affects 4.0.2 and earlier, allowing remote code execution by sending a crafted serialized Hessian object. The root cause is mishandled blacklisting of com.caucho.naming.QName and com.sun.org.apache.xpath.internal.objects.XString (Resin Gadget context). The vendor note...

CVE-2019-6446

An issue was discovered in NumPy before 1.16.3. It uses the pickle Python module unsafely, which allows remote attackers to execute arbitrary code via a crafted serialized object, as demonstrated by a numpy.load call. NOTE: third parties dispute this issue because it is a behavior that might have...

CVE-2019-6446

An issue was discovered in NumPy before 1.16.3. It uses the pickle Python module unsafely, which allows remote attackers to execute arbitrary code via a crafted serialized object, as demonstrated by a numpy.load call. NOTE: third parties dispute this issue because it is a behavior that might have...

Design/Logic Flaw

DISPUTED An issue was discovered in NumPy 1.16.0 and earlier. It uses the pickle Python module unsafely, which allows remote attackers to execute arbitrary code via a crafted serialized object, as demonstrated by a numpy.load call. NOTE: third parties dispute this issue because it is a behavior...

CVE-2019-6446

An issue was discovered in NumPy before 1.16.3. It uses the pickle Python module unsafely, which allows remote attackers to execute arbitrary code via a crafted serialized object, as demonstrated by a numpy.load call. NOTE: third parties dispute this issue because it is a behavior that might have...

PYSEC-2019-108

DISPUTED An issue was discovered in NumPy 1.16.0 and earlier. It uses the pickle Python module unsafely, which allows remote attackers to execute arbitrary code via a crafted serialized object, as demonstrated by a numpy.load call. NOTE: third parties dispute this issue because it is a behavior...

CVE-2019-6446

Removed by vendor...

Remote Code Execution Through Object Deserialization

The MethodClosure class in runtime/MethodClosure.java in Apache Groovy 1.7.0 through 2.4.3 allows remote attackers to execute arbitrary code or cause a denial of service via a crafted serialized object. Apache Groovy 2.4.4 is the first and only supported release under the Apache Software...

CVE-2018-6331

Buck parser-cache command loads/saves state using Java serialized object. If the state information is maliciously crafted, deserializing it could lead to code execution. This issue affects Buck versions prior to v2018.06.25.01...

Design/Logic Flaw

Buck parser-cache command loads/saves state using Java serialized object. If the state information is maliciously crafted, deserializing it could lead to code execution. This issue affects Buck versions prior to v2018.06.25.01...

CVE-2018-6331

Buck parser-cache command loads/saves state using Java serialized object. If the state information is maliciously crafted, deserializing it could lead to code execution. This issue affects Buck versions prior to v2018.06.25.01...

CVE-2018-1904

IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 could allow remote attackers to execute arbitrary Java code through an administrative client class with a serialized object from untrusted sources. IBM X-Force ID: 152533...