PT-2022-25280 · Delta Electronics · Infrasuite Device Master

Name of the Vulnerable Software and Affected Versions: Delta Electronics InfraSuite Device Master versions 00.00.01a and prior Description: The database backup function in the software lacks proper authentication, allowing an attacker to provide malicious serialized objects. When deserialized,...

Delta Electronics InfraSuite Device Master 访问控制错误漏洞

Delta Electronics InfraSuite Device Master is used to simplify and automate critical device monitoring by Delta Electronics of Taiwan, China. An access control error vulnerability exists in versions prior to Delta Electronics InfraSuite Device Master 00.00.01a, which stems from a lack of proper...

JBOSS EAP/AS 6.x Remote Code Execution

This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'JBOSS EAP/AS Remoting Unified Invoker RCE', 'Description' = %q An unauthenticated attacker with network access to the JBOSS EAP/AS 'Joao Matos ',...

GHSA-V64W-96P6-FX7W Apache Geronimo JMX Remoting functionality allows remote code execution in 3.x before v3.0.1

The JMX Remoting functionality in Apache Geronimo 3.x before 3.0.1, as used in IBM WebSphere Application Server WAS Community Edition 3.0.0.3 and other products, does not properly implement the RMI classloader, which allows remote attackers to execute arbitrary code by using the JMX connector to...

GHSA-J65F-MVGW-PRP2 Deserialization of Untrusted Data in Apache OpenJPA

The BrokerFactory functionality in Apache OpenJPA 1.x before 1.2.3 and 2.x before 2.2.2 creates local executable JSP files containing logging trace data produced during deserialization of certain crafted OpenJPA objects, which makes it easier for remote attackers to execute arbitrary code by...

GHSA-J7MW-7CRR-658V Richfaces vulnerable to arbitrary code execution

The RichFaces Framework 3.X through 3.3.4 is vulnerable to Expression Language EL injection via the UserResource resource. A remote, unauthenticated attacker could exploit this to execute arbitrary code using a chain of java serialized objects via org.ajax4jsf.resource.UserResource$UriData...

Richfaces vulnerable to arbitrary code execution

The RichFaces Framework 3.X through 3.3.4 is vulnerable to Expression Language EL injection via the UserResource resource. A remote, unauthenticated attacker could exploit this to execute arbitrary code using a chain of java serialized objects via org.ajax4jsf.resource.UserResource$UriData...

CVE-2021-41766 Insecure Java Deserialization in Apache Karaf

Apache Karaf allows monitoring of applications and the Java runtime by using the Java Management Extensions JMX. JMX is a Java RMI based technology that relies on Java serialized objects for client server communication. Whereas the default JMX implementation is hardened against unauthenticated...

GHSA-H4M5-QPFP-3MPV Directory Traversal in Babel

Babel.Locale in Babel before 2.9.1 allows attackers to load arbitrary locale .dat files containing serialized Python objects via directory traversal, leading to code execution...

CVE-2021-36231

Deserialization of untrusted data in multiple functions in MIK.starlight 7.9.5.24363 allows authenticated remote attackers to execute operating system commands by crafting serialized objects...

CVE-2021-36231

Deserialization of untrusted data in multiple functions in MIK.starlight 7.9.5.24363 allows authenticated remote attackers to execute operating system commands by crafting serialized objects...

Security Bulletin: IBM Security Privileged Identity Manager is affected by a specially-crafted sequence of serialized objects(CVE-2020-4576)

Summary IBM Security Privileged Identity Manager has addressed a specially-crafted sequence of serialized objects in WebSphere Application Server. Vulnerability Details CVEID: CVE-2020-4576 DESCRIPTION: IBM WebSphere Application Server 7.5, 8.0, 8.5, and 9.0 traditional could allow a remote...

Exploit for Deserialization of Untrusted Data in Apache Tapestry

CVE-2021-27850 Exploit Overview CVE-2021-27850 is a...

Exploit for Deserialization of Untrusted Data in Apache Tapestry

CVE-2021-27850 Exploit Overview CVE-2021-27850 is a...

Security Bulletin: IBM Security Privileged Identity Manager is affected by a code execution vulnerability (CVE-2020-4448)

Summary IBM Security Privileged Identity Manager has addressed a remote code execution vulnerability in WebSphere Application Server ND. Vulnerability Details CVEID: CVE-2020-4448 DESCRIPTION: IBM WebSphere Application Server Network Deployment 7.0, 8.0, 8.5, and 9.0 could allow a remote attacker...

Security Bulletin: IBM Security Privileged Identity Manager is affected by an information disclosure vulnerability (CVE-2020-4449)

Summary IBM Security Privileged Identity Manager has addressed an issue for WebSphere Application Server traditional is vulnerable to a Information Disclosure vulnerability. Vulnerability Details CVEID: CVE-2020-4449 DESCRIPTION: IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 traditional...

CVE-2021-22855 Soar Cloud System Co., Ltd. HR Portal - Arbitrary Code Execution

The specific function of HR Portal of Soar Cloud System accepts any type of object to be deserialized. Attackers can send malicious serialized objects to execute arbitrary commands...

Deserialization of untrusted data

This vulnerability allows remote attackers to execute arbitrary code on affected installations of Qognify Ocularis 5.9.0.395. Authentication is not required to exploit this vulnerability. The specific flaw exists within the handling of serialized objects provided to the EventCoordinator endpoint...

CVE-2020-27868

CVE-2020-27868 affects Qognify Ocularis 5.9.0.395. The root cause is insecure deserialization of untrusted data handled by the EventCoordinator’s connected-channel path, enabling remote code execution with SYSTEM privileges. Multiple connected sources (Red Hat, Checkpoint/PRION, NVD, ZDI, CVE lis...

Apache Synapse < 3.0.1 Remote Code Execution Vulnerability

All Apache Synapse releases previous to 3.0.1 installed on the remote host are affected by a Remote Code Execution vulnerability. This can be performed by injecting specially crafted serialized objects. And the presence of Apache Commons Collections 3.2.1 commons-collections-3.2.1.jar or previous...