21 matches found
CVE-2017-18375
Ampache 3.8.3 allows PHP Object Instantiation via democratic.ajax.php and democratic.class.php...
EUVD-2025-204565
pluginsGLPI's Database Inventory Plugin "manages" the Teclib' inventory agents in order to perform an inventory of the databases present on the workstation. Prior to version 1.1.2, in certain conditions database write access must first be obtained through another vulnerability or misconfiguration...
EUVD-2017-9491
Malware in sbrugna...
EUVD-2025-9694
Malicious code in bioql PyPI...
CVE-2019-12799
In createInstanceFromNamedArguments in Shopware through 5.6.x, a crafted web request can trigger a PHP object instantiation vulnerability, which can result in an arbitrary deserialization if the right class is instantiated. An attacker can leverage this deserialization to achieve remote code...
CVE-2024-13645
The tagDiv Composer plugin for WordPress is vulnerable to PHP Object Instantiation in all versions up to, and including, 5.3 via module parameter. This makes it possible for unauthenticated attackers to Instantiate a PHP Object. No known POP chain is present in the vulnerable software, which mean...
CVE-2024-13645
The tagDiv Composer plugin for WordPress is vulnerable to PHP Object Instantiation in all versions up to, and including, 5.3 via module parameter. This makes it possible for unauthenticated attackers to Instantiate a PHP Object. No known POP chain is present in the vulnerable software, which mean...
CVE-2024-13645 TagDiv Composer <= 5.3 - Unauthenticated Arbitrary PHP Object Instantiation
The tagDiv Composer plugin for WordPress is vulnerable to PHP Object Instantiation in all versions up to, and including, 5.3 via module parameter. This makes it possible for unauthenticated attackers to Instantiate a PHP Object. No known POP chain is present in the vulnerable software, which mean...
CVE-2024-13645 TagDiv Composer <= 5.3 - Unauthenticated Arbitrary PHP Object Instantiation
The tagDiv Composer plugin for WordPress is vulnerable to PHP Object Instantiation in all versions up to, and including, 5.3 via module parameter. This makes it possible for unauthenticated attackers to Instantiate a PHP Object. No known POP chain is present in the vulnerable software, which mean...
CVE-2024-13645
CVE-2024-13645 affects the WordPress tagging plugin TagDiv Composer (all versions up to and including 5.3). It describes PHP Object Instantiation via a module parameter, enabling unauthenticated object instantiation. The impact is conditional on a POP chain being present in the target environment...
CVE-2022-24989
TerraMaster NAS through 4.2.30 allows remote WAN attackers to execute arbitrary code as root via the raidtype and diskstring parameters for PHP Object Instantiation to the api.php?mobile/createRaid URI. Shell metacharacters can be placed in raidtype because popen is used without any sanitization...
GHSA-RF8F-HQJV-986P Shopware Insecure Deserialization Vulnerability
In createInstanceFromNamedArguments in Shopware through 5.6.x, a crafted web request can trigger a PHP object instantiation vulnerability, which can result in an arbitrary deserialization if the right class is instantiated. An attacker can leverage this deserialization to achieve remote code...
Shopware XXE Vulnerability
Shopware before 5.3.4 has a PHP Object Instantiation issue via the sort parameter to the loadPreviewAction method of the ShopwareControllersBackendProductStream controller, with resultant XXE via instantiation of a SimpleXMLElement object...
Exploit for Missing Authentication for Critical Function in Terra-Master Terramaster_Operating_System
It is an exploit module for CVE-2022-24990, a TerraMaster TOS Un...
Exploit for Missing Authentication for Critical Function in Terra-Master Terramaster_Operating_System
CVE-2022-24990 CVE-2022-24990 TerraMaster TOS unauthenticate...
Unsafe Deserialization
shopware/shopware is vulnerable to XML external entity attacks via unsafe deserialization. The sort parameter in the function loadPreviewAction in the ShopwareControllersBackendProductStream controller is not validated before PHP object instantiation is performed, which would allow an attacker to...
CVE-2019-12799
In createInstanceFromNamedArguments in Shopware through 5.6.x, a crafted web request can trigger a PHP object instantiation vulnerability, which can result in an arbitrary deserialization if the right class is instantiated. An attacker can leverage this deserialization to achieve remote code...
CVE-2019-12799
In createInstanceFromNamedArguments in Shopware through 5.6.x, a crafted web request can trigger a PHP object instantiation vulnerability, which can result in an arbitrary deserialization if the right class is instantiated. An attacker can leverage this deserialization to achieve remote code...
CVE-2017-18375
Ampache 3.8.3 allows PHP Object Instantiation via democratic.ajax.php and democratic.class.php...
CVE-2017-18375
Ampache 3.8.3 is affected by a vulnerability that allows PHP object instantiation via the files democratic.ajax.php and democratic.class.php. The connected sources consistently state this issue but do not provide technical specifics such as vulnerable functions, versions beyond 3.8.3, root cause ...