Search the Community

SugarCRM versions 9.0.1 and below suffer from multiple phar deserialization vulnerabilities. View the full article

iMessage suffers from a vulnerability where NSArray deserialization can invoke a subclass that does not retain references. View the full article

iMessage suffers from a vulnerability where NSKeyedUnarchiver deserialization allows file backed NSData objects. View the full article

Sitecore versions 8.x suffer from a deserialization vulnerability that allows for remote code execution. View the full article

An unauthenticated attacker with network access to the Oracle Weblogic Server T3 interface can send a malicious SOAP request to the interface WLS AsyncResponseService to execute code on the vulnerable host. View the full article

Revive Adserver versions prior to 4.2.0 suffers from deserialization and open redirection vulnerabilities. View the full article

An unauthenticated attacker with network access to the Oracle Weblogic Server T3 interface can send a serialized object (sun.rmi.server.UnicastRef) to the interface to execute code on vulnerable hosts. View the full article

LimeSurvey versions prior to 3.16 suffer from a deserialization remote code execution vulnerability. View the full article

An unauthenticated attacker with network access to the Oracle Weblogic Server T3 interface can send a serialized object (weblogic.corba.utils.MarshalledObject) to the interface to execute code on vulnerable hosts. View the full article

This Metasploit module demonstrates that an unauthenticated attacker with network access to the Oracle Weblogic Server T3 interface can send a serialized object (weblogic.jms.common.StreamMessag eImpl) to the interface to execute code on vulnerable hosts. View the full article

TCPDF versions 6.2.19 and below suffer from a deserialization vulnerability that can allow for remote code execution. View the full article

Oracle Weblogic Server deserialization remote command execution exploit with patch bypass. View the full article

OpenMRS Platform versions prior to 2.24.0 suffers from an insecure object deserialization vulnerability. View the full article

Ajera Timesheets versions 9.10.16 and below suffer from a vulnerability where it performs deserialization of untrusted data. View the full article

This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Hewlett Packard Enterprise Intelligent Management Center. Authentication is not required to exploit this vulnerability. The specific flaw exists within the WebDMDebugServlet, which listens on TCP ports 8080 and 8443 by default. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute arbitrary code in the context of SYSTEM. View the full article