Design/Logic Flaw

Open Web Analytics OWA before 1.5.7 allows remote attackers to conduct PHP object injection attacks via a crafted serialized object in the owaevent parameter to queue.php...

CVE-2014-2294

Open Web Analytics OWA before 1.5.7 allows remote attackers to conduct PHP object injection attacks via a crafted serialized object in the owaevent parameter to queue.php...

CVE-2014-2294

Open Web Analytics (OWA) before 1.5.7 is vulnerable to PHP object injection via the owa_event parameter to queue.php. The root cause is unsafe unserialize() of a crafted serialized object (after decoding base64) in queue.php, enabling remote attackers to manipulate configuration or achieve arbitr...

CVE-2018-9843

The REST API in CyberArk Password Vault Web Access before 9.9.5 and 10.x before 10.1 allows remote attackers to execute arbitrary code via a serialized .NET object in an Authorization HTTP header...

EulerOS 2.0 SP2 : java-1.7.0-openjdk (EulerOS-SA-2018-1059)

According to the versions of the java-1.7.0-openjdk packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - A flaw was found in the AWT component of OpenJDK. An untrusted Java application or applet could use this flaw to bypass certain Java...

CVE-2018-0147

A vulnerability in Java deserialization used by Cisco Secure Access Control System ACS prior to release 5.8 patch 9 could allow an unauthenticated, remote attacker to execute arbitrary commands on an affected device. The vulnerability is due to insecure deserialization of user-supplied content by...

Deserialization of untrusted data

A vulnerability in Java deserialization used by Cisco Secure Access Control System ACS prior to release 5.8 patch 9 could allow an unauthenticated, remote attacker to execute arbitrary commands on an affected device. The vulnerability is due to insecure deserialization of user-supplied content by...

Category Order and Taxonomy Terms Order <= 1.5.2.2 - Authenticated PHP Object Injection

Usage of unserialize on user input in the saving request of the orders leads to PHP object injection vulnerability. Send POST request to "URL/wp-admin/admin-ajax.php" with parameters "action=update-taxonomy-order&order=SERIALIZED-OBJECT"...

Jenkins CI Unauthenticated Remote Code Execution (CVE-2017-1000353)

A command Injection vulnerability exist in Jenkins. The vulnerability is due to lack of serialized object validation. Successful exploitation could allow an attacker to execute arbitrary code in the target machine...

CVE-2014-9515

Dozer improperly uses a reflection-based approach to type conversion, which might allow remote attackers to execute arbitrary code via a crafted serialized object...

Type confusion

Dozer improperly uses a reflection-based approach to type conversion, which might allow remote attackers to execute arbitrary code via a crafted serialized object...

CVE-2014-9515

Dozer improperly uses a reflection-based approach to type conversion, which might allow remote attackers to execute arbitrary code via a crafted serialized object...

CVE-2014-9515

Dozer improperly uses a reflection-based approach to type conversion, which might allow remote attackers to execute arbitrary code via a crafted serialized object...

PT-2017-6361 · Apache · Dozer

Name of the Vulnerable Software and Affected Versions: Dozer affected versions not specified Description: The issue is related to Dozer's improper use of a reflection-based approach to type conversion. This might allow remote attackers to execute arbitrary code via a crafted serialized object...

Apache Synapse Remote Code Execution Vulnerability

Apache Synapse is a simple, high-quality open source alternative that provides a way to implement SOA by exposing existing applications without having to rewrite any code. A remote code execution vulnerability exists in Apache Synapse, which is caused by the serializability of classes in the Apac...

CVE-2014-4000

Cacti before 1.0.0 allows remote authenticated users to conduct PHP object injection attacks and execute arbitrary PHP code via a crafted serialized object, related to calling unserializestripslashes...

Design/Logic Flaw

Cacti before 1.0.0 allows remote authenticated users to conduct PHP object injection attacks and execute arbitrary PHP code via a crafted serialized object, related to calling unserializestripslashes...

CVE-2014-4000

Cacti before 1.0.0 allows remote authenticated users to conduct PHP object injection attacks and execute arbitrary PHP code via a crafted serialized object, related to calling unserializestripslashes...

CVE-2014-4000

Cacti before 1.0.0 allows remote authenticated users to conduct PHP object injection attacks and execute arbitrary PHP code via a crafted serialized object, related to calling unserializestripslashes...

Kaltura - Remote Code Execution and Cross-Site Scripting

1 Unauthenticated Remote Code Execution through unserialize from cookie data Because of a hardcoded cookie secret, the cookie signature validation can be bypassed and malicious user input can be passed via the 'userzone' cookie to the unserialize function: abstract class kalturaAction extends...