PT-2022-6762 · Unknown · Csharp-Language-Server-Protocol

Name of the Vulnerable Software and Affected Versions: csharp-language-server-protocol versions up to 0.19.6 Description: The issue is related to the function CreateSerializerSettings of the JSON Serializer component, which can lead to resource consumption when manipulated. This can potentially...

PT-2022-22812 · Rpc.Py · Rpc.Py

Name of the Vulnerable Software and Affected Versions: rpc.py versions through 0.6.0 Description: The issue allows Remote Code Execution because an unpickle occurs when the serializer: pickle HTTP header is sent. Although JSON is the default data format, an unauthenticated client can cause the da...

CVE-2022-2309

NULL Pointer Dereference allows attackers to cause a denial of service or application crash. This only applies when lxml is used together with libxml2 2.9.10 through 2.9.14. libxml2 2.9.9 and earlier are not affected. It allows triggering crashes through forged input data, given a vulnerable code...

Deserialization of Untrusted Data

Overview Affected versions of this package are vulnerable to Deserialization of Untrusted Data via the deserialize function in the JSONSerializer class. An attacker can execute arbitrary code by sending a crafted JSON payload to the affected system. Details Serialization is a process of convertin...

com.twitter.ambrose:ambrose-hive (>=0.2.6 <=0.3.0), org.securegraph:securegraph-accumulo (>=0.5.0 <=0.8.1) +5 more potentially affected by CVE-2014-3627 via org.apache.hadoop:hadoop-client (>=0.23.10 <=0.23.9)

org.apache.hadoop:hadoop-client MAVEN version =0.23.10, =0.2.6, =0.5.0, =0.5.0, =0.5.0, =0.6.0, =0.5.0, =0.5.0, =0.8.1 Source cves: CVE-2014-3627 Source advisory: OSV:GHSA-JPMF-8CJ2-595G...

Deserialization of Untrusted Data in Flamingo amf-serializer

The Java implementation of AMF3 deserializers used in Flamingo amf-serializer by Exadel, version 2.2.0, may allow instantiation of arbitrary classes via their public parameter-less constructor and subsequently call arbitrary Java Beans setter methods. The ability to exploit this vulnerability...

com.actiontestscript:ats-automated-testing (>=1.1.1 <=1.7.8), com.actiontestscript:automated-testing (=1.1.1) +1 more potentially affected by CVE-2017-3202 via com.exadel.flamingo.flex:amf-serializer (=1.5.0)

com.exadel.flamingo.flex:amf-serializer MAVEN version =1.5.0 is affected by a known vulnerability. The following packages have a transitive dependency on com.exadel.flamingo.flex:amf-serializer and may be impacted: - com.actiontestscript:ats-automated-testing =1.1.1, =1.7.8 -...

GHSA-3PQG-4RQG-PG9G Cross-site Scripting in OWASP AntiSamy

OWASP AntiSamy is a library for performing fast, configurable cleansing of HTML coming from untrusted sources. AntiSamy before 1.6.6 allows XSS via HTML tag smuggling on STYLE content with crafted input. The output serializer does not properly encode the supposed Cascading Style Sheets CSS conten...

Cross-site Scripting (XSS)

org.owasp.antisamy:antisamy is vulnerable to cross-site scriptingXSS attacks. The output serializer does not properly encode the cascading style sheetCSS content, allowing an attacker to conduct HTML tag smuggling on STYLE content with the use of a specifically crafted user input, resulting in...

CVE-2022-29577

OWASP AntiSamy before 1.6.7 allows XSS via HTML tag smuggling on STYLE content with crafted input. The output serializer does not properly encode the supposed Cascading Style Sheets CSS content. NOTE: this issue exists because of an incomplete fix for CVE-2022-28367...

AZL-8824 CVE-2021-3700 affecting package usbredir for versions less than 0.12.0-1

A use-after-free vulnerability was found in usbredir in versions prior to 0.11.0 in the usbredirparserserialize in usbredirparser/usbredirparser.c. This issue occurs when serializing large amounts of buffered write data in the case of a slow or blocked destination...

CVE-2019-25057

In Corda before 4.1, the meaning of serialized data can be modified via an attacker-controlled CustomSerializer...

R3 Corda 安全漏洞

R3 Corda is an open source blockchain platform from R3 Corporation in the United States. A security vulnerability exists in versions of R3 Corda prior to 4.1, which can be exploited by an attacker to modify the meaning of serialized data via a controlled CustomSerializer...

CSV Injection

symfony/serializer is vulnerable to CSV Injection. The vulnerability exists in a private variable used in flatten function of CsvEncoder.php as it doesn't properly encode the formulas which allows an attacker to inject arbitrary CSV formulas and code...

CVE-2021-41270

Symfony/Serializer handles serializing and deserializing data structures for Symfony, a PHP framework for web and console applications and a set of reusable PHP components. Symfony versions 4.1.0 before 4.4.35 and versions 5.0.0 before 5.3.12 are vulnerable to CSV injection, also known as formula...

DEBIAN-CVE-2021-41270

Symfony/Serializer handles serializing and deserializing data structures for Symfony, a PHP framework for web and console applications and a set of reusable PHP components. Symfony versions 4.1.0 before 4.4.35 and versions 5.0.0 before 5.3.12 are vulnerable to CSV injection, also known as formula...

CVE-2021-41270

Symfony/Serializer handles serializing and deserializing data structures for Symfony, a PHP framework for web and console applications and a set of reusable PHP components. Symfony versions 4.1.0 before 4.4.35 and versions 5.0.0 before 5.3.12 are vulnerable to CSV injection, also known as formula...

Design/Logic Flaw

Symfony/Serializer handles serializing and deserializing data structures for Symfony, a PHP framework for web and console applications and a set of reusable PHP components. Symfony versions 4.1.0 before 4.4.35 and versions 5.0.0 before 5.3.12 are vulnerable to CSV injection, also known as formula...

CVE-2021-41270

Symfony/Serializer handles serializing and deserializing data structures for Symfony, a PHP framework for web and console applications and a set of reusable PHP components. Symfony versions 4.1.0 before 4.4.35 and versions 5.0.0 before 5.3.12 are vulnerable to CSV injection, also known as formula...

CVE-2021-41270

CVE-2021-41270 (Symfony CSV Injection) affects Symfony/Serializer in Symfony PHP framework. The issue arises in the CsvEncoder where cells beginning with =, +, -, or @ could be treated as formulas. Initially, a tab prefix was used to escape these, but OWASP expanded the vulnerable set to include ...