Lucene search
K

365 matches found

Prion
Prion
added 2021/03/23 12:15 a.m.19 views

Design/Logic Flaw

XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability where the processed stream at unmarshalling time contains type information to recreate the formerly written objects. XStream creates therefore new instances based on...

5.8CVSS9.2AI score0.4999EPSS
Exploits1References15Affected Software12
Prion
Prion
added 2021/03/23 12:15 a.m.18 views

Design/Logic Flaw

XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability which may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, who follow...

7.5CVSS9.5AI score0.7598EPSS
Exploits1References15Affected Software13
OSV
OSV
added 2021/03/12 5:15 p.m.6 views

UBUNTU-CVE-2021-21366

xmldom is a pure JavaScript W3C standard-based XML DOM Level 2 Core DOMParser and XMLSerializer module. xmldom versions 0.4.0 and older do not correctly preserve system identifiers, FPIs or namespaces when repeatedly parsing and serializing maliciously crafted documents. This may lead to unexpect...

4.3CVSS7.3AI score0.01328EPSS
Exploits0References7
Packet Storm
Packet Storm
added 2021/02/10 12:0 a.m.232 views

Node.JS Remote Code Execution

Exploit Title: Node.JS - 'node-serialize' Remote Code Execution 2 Exploit Author: UndeadLarva Software Link: https://www.npmjs.com/package/node-serialize Version: 0.0.4 CVE: CVE-2017-5941 import requests import re import base64 import sys url = 'http://192.168.100.133:8000/' change this payload =...

7.5CVSS9.6AI score0.61025EPSS
Exploits5
Exploit DB
Exploit DB
added 2021/02/10 12:0 a.m.284 views

Node.JS - 'node-serialize' Remote Code Execution (2)

Exploit Title: Node.JS - 'node-serialize' Remote Code Execution 2 Exploit Author: UndeadLarva Software Link: https://www.npmjs.com/package/node-serialize Version: 0.0.4 CVE: CVE-2017-5941 import requests import re import base64 import sys url = 'http://192.168.100.133:8000/' change this payload =...

9.8CVSS9.6AI score0.61025EPSS
Exploits5
OSV
OSV
added 2021/01/20 12:0 p.m.21 views

RUSTSEC-2021-0089 Optional `Deserialize` implementations lacking validation

When activating the non-default feature serialize, most structs implement serde::Deserialize without sufficient validation. This allows breaking invariants in safe code, leading to: Undefined behavior in asstring methods which use std::str::fromutf8unchecked internally. Panics due to failed...

9.8CVSS9.3AI score0.01123EPSS
Exploits0References3
Positive Technologies
Positive Technologies
added 2021/01/20 12:0 a.m.2 views

PT-2021-24261 · Raw-Cpuid · Raw-Cpuid

Name of the Vulnerable Software and Affected Versions: raw-cpuid crate versions prior to 9.1.1 Description: The issue arises when the non-default serialize feature is activated, allowing most structs to implement serde::Deserialize without sufficient validation. This can lead to breaking invarian...

9.8CVSS9.2AI score0.01123EPSS
Exploits0References10
OSV
OSV
added 2021/01/13 12:0 a.m.13 views

OSV-2018-97 Heap-buffer-overflow in CFF::CFF2VariationStore::serialize

OSS-Fuzz report: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=11713 Crash type: Heap-buffer-overflow READ Crash state: CFF::CFF2VariationStore::serialize writecff2 hbsubsetcff2...

7.2AI score
Exploits0References1
OSV
OSV
added 2021/01/13 12:0 a.m.7 views

OSV-2018-26 UNKNOWN READ in BEInt<unsigned char, 1>::operator unsigned char

OSS-Fuzz report: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=11351 Crash type: UNKNOWN READ Crash state: BEInt::operator unsigned char OT::DeviceRecord::serialize OT::hdmx::serialize...

7.2AI score
Exploits0References1
Node.js
Node.js
added 2020/12/18 10:54 p.m.76 views

Cross-Site Scripting

Overview Cure53 DOMPurify before 2.0.17 allows mutation XSS. This occurs because a serialize-parse roundtrip does not necessarily return the original DOM tree, and a namespace can change from HTML to MathML, as demonstrated by nesting of FORM elements. Recommendation Upgrade to version 2.0.17 or...

4.3CVSS1.9AI score0.04522EPSS
Exploits1Affected Software1
OSV
OSV
added 2020/12/18 10:51 p.m.326 views

GHSA-63Q7-H895-M982 Cross-site Scripting in dompurify

Cure53 DOMPurify before 2.0.17 allows mutation XSS. This occurs because a serialize-parse roundtrip does not necessarily return the original DOM tree, and a namespace can change from HTML to MathML, as demonstrated by nesting of FORM elements...

6.1CVSS6.2AI score0.04522EPSS
Exploits1References9
IBM Security Bulletins
IBM Security Bulletins
added 2020/12/14 6:38 p.m.19 views

Security Bulletin: A security vulnerability in Node.js serialize-javascript affects IBM Cloud Pak for Multicloud Management Managed Service.

Summary A security vulnerability in Node.js serialize-javascript affects IBM Cloud Pak for Multicloud Management Managed Service. Vulnerability Details Third Party Entry: 186585 DESCRIPTION: Node.js serialize-javascript module code execution CVSS Base score: 9.8 CVSS Temporal Score: See:...

1AI score
Exploits0Affected Software1
OSV
OSV
added 2020/12/03 5:15 p.m.40 views

CVE-2020-28923

An issue was discovered in Play Framework 2.8.0 through 2.8.4. Carefully crafted JSON payloads sent as a form field lead to Data Amplification. This affects users migrating from a Play version prior to 2.8.0 that used the Play Java API to serialize classes with protected or private fields to JSON...

2.7CVSS6.7AI score0.00957EPSS
Exploits0References2
Veracode
Veracode
added 2020/10/08 6:6 a.m.42 views

Cross-Site Scripting (XSS)

dompurify is vulnerable to cross-site scripting XSS. A mutation XSS vulnerability exists as a serialize-parse roundtrip does not return the original DOM tree, causing a namespace change from HTML to MathML via FORM elements...

6.1CVSS1AI score0.04522EPSS
Exploits1References6Affected Software1
NVD
NVD
added 2020/10/07 4:15 p.m.22 views

CVE-2020-26870

Cure53 DOMPurify before 2.0.17 allows mutation XSS. This occurs because a serialize-parse roundtrip does not necessarily return the original DOM tree, and a namespace can change from HTML to MathML, as demonstrated by nesting of FORM elements...

6.1CVSS0.04522EPSS
Exploits1References6
OSV
OSV
added 2020/10/07 4:15 p.m.45 views

CVE-2020-26870

Cure53 DOMPurify before 2.0.17 allows mutation XSS. This occurs because a serialize-parse roundtrip does not necessarily return the original DOM tree, and a namespace can change from HTML to MathML, as demonstrated by nesting of FORM elements...

6.1CVSS6.4AI score0.04522EPSS
Exploits1References6
OSV
OSV
added 2020/10/07 4:15 p.m.4 views

UBUNTU-CVE-2020-26870

Cure53 DOMPurify before 2.0.17 allows mutation XSS. This occurs because a serialize-parse roundtrip does not necessarily return the original DOM tree, and a namespace can change from HTML to MathML, as demonstrated by nesting of FORM elements...

6.1CVSS6.7AI score0.04522EPSS
Exploits1References4
Cvelist
Cvelist
added 2020/10/07 3:50 p.m.38 views

CVE-2020-26870

Cure53 DOMPurify before 2.0.17 allows mutation XSS. This occurs because a serialize-parse roundtrip does not necessarily return the original DOM tree, and a namespace can change from HTML to MathML, as demonstrated by nesting of FORM elements...

6.2AI score0.04522EPSS
Exploits1References6
Veracode
Veracode
added 2020/09/03 4:15 a.m.10 views

Denial Of Service (DoS)

serialize-to-js is vulnerable to denial of service DoS. The vulnerability exists as the unvalidated user input could cause an infinite loop in the deserialize function...

2.7AI score
Exploits0
OSV
OSV
added 2020/09/02 3:59 p.m.11 views

GHSA-W5Q7-3PR9-X44W Denial of Service in serialize-to-js

Versions of serialize-to-js prior to 2.0.0 are vulnerable to Denial of Service. User input is not properly validated, allowing attackers to provide inputs that lead the execution to loop indefinitely. Recommendation Upgrade to version 2.0.0 or later...

7.2AI score
Exploits0References1
Rows per page
Query Builder