A flaw has been found in ILIAS up to 8.23/9.13/10.1. Affected by this issue is the function unserialize of the component Test Import. This manipulation causes deserialization. It is possible to initiate the attack remotely. Upgrading to version 8.24, 9.14 and 10.2 can resolve this issue. Upgrading the affected component is advised.
Unrestricted file upload vulnerability in ilias.php in ILIAS 4.4.1 allows remote authenticated users to execute arbitrary PHP code by using a .php filename in an upload_files action to the uploadFiles command, and then accessing the .php file via a direct request to a certain client_id pathname.
A vulnerability was detected in ILIAS up to 8.23/9.13/10.1. Affected by this vulnerability is an unknown functionality of the component Certificate Import Handler. The manipulation results in Remote Code Execution. The attack may be performed from remote. Upgrading to version 8.24, 9.14 and 10.2 addresses this issue. It is recommended to upgrade the affected component.
The password reset function in ILIAS 7.0_beta1 through 7.20 and 8.0_beta1 through 8.1 allows remote attackers to take over the account.
Remote Code Execution can occur via the external news feed in ILIAS 6.4 because of incorrect parameter sanitization for Magpie RSS data.
A local file inclusion vulnerability in ILIAS before 5.3.19, 5.4.10 and 6.0 allows remote authenticated attackers to execute arbitrary code via the import of personal data.
VisiCut 2.1 allows code execution via Insecure XML Deserialization in the loadPlfFile method of VisicutModel.java.
A vulnerability was identified in Oinone Pamirs up to 7.2.0. This affects the function JsonUtils.parseMap of the file PamirsParserConfig.java of the component appConfigQuery Interface. Such manipulation leads to deserialization. The attack can be launched remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way.
Deserialization of Untrusted Data vulnerability in ThemeREX Sound | Musical Instruments Online Store musicplace allows Object Injection.This issue affects Sound | Musical Instruments Online Store: from n/a through <= 1.6.9.
Deserialization of Untrusted Data vulnerability in Jthemes Prestige prestige allows Object Injection.This issue affects Prestige: from n/a through < 1.4.1.
Deserialization of Untrusted Data vulnerability in ThemeREX Extreme Store extremestore allows Object Injection.This issue affects Extreme Store: from n/a through <= 1.5.10.
Contao CMS through 3.2.4 has PHP Object Injection Vulnerabilities
Deserialization of Untrusted Data vulnerability in MetaSlider Responsive Slider by MetaSlider ml-slider allows Object Injection.This issue affects Responsive Slider by MetaSlider: from n/a through <= 3.94.0.
A vulnerability was found in aizuda snail-job 1.4.0. It has been classified as critical. Affected is the function getRuntime of the file /snail-job/workflow/check-node-expression of the component Workflow-Task Management Module. The manipulation of the argument nodeExpression leads to deserialization. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used.
SolarWinds Web Help Desk was found to be susceptible to an unauthenticated AjaxProxy deserialization remote code execution vulnerability that, if exploited, would allow an attacker to run commands on the host machine. This vulnerability is a patch bypass of CVE-2024-28988, which in turn is a patch bypass of CVE-2024-28986.
An issue was discovered in Jamf Pro 9.x and 10.x before 10.15.1. Deserialization of untrusted data when parsing JSON in several APIs may cause Denial of Service (DoS), remote code execution (RCE), and/or deletion of files on the Jamf Pro server.
The sr_freecap (aka freeCap CAPTCHA) extension 2.4.5 and below and 2.5.2 and below for TYPO3 fails to sanitize user input, which allows execution of arbitrary Extbase actions, resulting in Remote Code Execution.
ColdFusion versions 2023.12, 2021.18, 2025.0 and earlier are affected by a Deserialization of Untrusted Data vulnerability that could result in arbitrary code execution in the context of the current user resulting in a High impact to Confidentiality and Integrity. Exploitation of this issue does not require user interaction.
Deserialization of Untrusted Data vulnerability in ThimPress FundPress fundpress allows Object Injection.This issue affects FundPress: from n/a through <= 2.0.6.
A flaw has been found in changmingxie tcc-transaction up to 2.1.0. This issue affects the function Fastjson.parseObject of the component Fastjson AutoType REST API. This manipulation causes deserialization. It is possible to initiate the attack remotely. The vendor was contacted early about this disclosure but did not respond in any way.
A vulnerability was detected in Cockpit-HQ Cockpit up to 2.13.5. Affected by this issue is some unknown functionality of the component Asset Handler/Aggregate Handler. The manipulation results in improper neutralization of special elements in data query logic. It is possible to launch the attack remotely. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Unauthenticated PHP Object Injection in Reisen <= 1.4.1 versions.
Path Equivalence: 'file.Name' (Internal Dot) leading to Remote Code Execution and/or Information disclosure and/or malicious content added to uploaded files via write enabled Default Servlet in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.2, from 10.1.0-M1 through 10.1.34, from 9.0.0.M1 through 9.0.98. The following versions were EOL at the time the CVE was created but are known to be affected: 8.5.0 though 8.5.100. Other, older, EOL versions may also be affected. If all of the following were true, a malicious user was able to view security sensitive files and/or inject content into those files: - writes enabled for the default servlet (disabled by default) - support for partial PUT (enabled by default) - a target URL for security sensitive uploads that was a sub-directory of a target URL for public uploads - attacker knowledge of the names of security sensitive files being uploaded - the security sensitive files also being uploaded via partial PUT If all of the following were true, a malicious user was able to perform remote code execution: - writes enabled for the default servlet (disabled by default) - support for partial PUT (enabled by default) - application was using Tomcat's file based session persistence with the default storage location - application included a library that may be leveraged in a deserialization attack Users are recommended to upgrade to version 11.0.3, 10.1.35 or 9.0.99, which fixes the issue.
Deserialization of Untrusted Data vulnerability in Pdfcrowd Dev Team Save as PDF save-as-pdf-by-pdfcrowd allows Object Injection.This issue affects Save as PDF: from n/a through <= 4.4.0.
The Export All Posts, Products, Orders, Refunds & Users plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 2.13 via deserialization of untrusted input in the 'returnMetaValueAsCustomerInput' function. This makes it possible for unauthenticated attackers to inject a PHP Object. No known POP chain is present in the vulnerable software, which means this vulnerability has no impact unless another plugin or theme containing a POP chain is installed on the site. If a POP chain is present via an additional plugin or theme installed on the target system, it may allow the attacker to perform actions like delete arbitrary files, retrieve sensitive data, or execute code depending on the POP chain present.
Unauthenticated PHP Object Injection in Integration for ActiveCampaign and Contact Form 7, WPForms, Elementor, Ninja Forms <= 1.1.1 versions.
Deserialization of Untrusted Data vulnerability in Marko-M Quick Count quick-count allows Object Injection.This issue affects Quick Count: from n/a through <= 3.00.
NVIDIA NeMo Framework for all platforms contains a vulnerability where a user could cause a deserialization of untrusted data by remote code execution. A successful exploit of this vulnerability might lead to code execution and data tampering.
Deserialization of Untrusted Data vulnerability in muzaara Muzaara Google Ads Report muzaara-adwords-optimize-dashboard allows Object Injection.This issue affects Muzaara Google Ads Report: from n/a through <= 3.1.
The Device Administrator code in Android before 4.4.1_r1 might allow attackers to spoof device administrators and consequently bypass MDM restrictions by leveraging failure to update the mAdminMap data structure.
A vulnerability was found in mem0ai mem0 up to 1.0.11. This affects the function pickle.load/pickle.dump of the file mem0/vector_stores/faiss.py. Performing a manipulation results in deserialization. It is possible to initiate the attack remotely. The exploit has been made public and could be used. The patch is named 62dca096f9236010ca15fea9ba369ba740b86b7a. Applying a patch is the recommended action to fix this issue.
Zabbix Frontend provides a feature that allows admins to maintain the installation and ensure that only certain IP addresses can access it. In this way, any user will not be able to access the Zabbix Frontend while it is being maintained and possible sensitive data will be prevented from being disclosed. An attacker can bypass this protection and access the instance using IP address not listed in the defined range.
A security vulnerability has been detected in MindsDB up to 26.01. Affected is the function pickle.loads of the component Pickle Handler. The manipulation leads to deserialization. The attack is possible to be carried out remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
OpenCATS v0.9.6 was discovered to contain a remote code execution (RCE) vulnerability via the getDataGridPager's ajax functionality.
Deserialization of Untrusted Data vulnerability in StellarWP GiveWP give allows Object Injection.This issue affects GiveWP: from n/a through <= 3.19.3.
A vulnerability in the sendMailFromRemoteSource method in Emails.php as used in Bitdefender GravityZone Console unsafely uses php unserialize() on user-supplied input without validation. By crafting a malicious serialized payload, an attacker can trigger PHP object injection, perform a file write, and gain arbitrary command execution on the host system.
download.php in inoERP 4.15 allows SQL injection through insecure deserialization.
NVIDIA NeMo Framework contains a vulnerability where a user could cause a deserialization of untrusted data by remote code execution. A successful exploit of this vulnerability might lead to code execution and data tampering.
The chat window of Mitel BusinessCTI Enterprise (MBC-E) Client for Windows before 6.4.11 and 7.x before 7.0.3 could allow an attacker to gain access to user information by sending arbitrary code, due to improper input validation. A successful exploit could allow an attacker to view the user information and application data.
Improper Input Validation vulnerability in OTRS AG OTRS, OTRS AG ((OTRS)) Community Edition allows SQL Injection via TicketSearch Webservice This issue affects OTRS: from 7.0.1 before 7.0.40 Patch 1, from 8.0.1 before 8.0.28 Patch 1; ((OTRS)) Community Edition: from 6.0.1 through 6.0.34.
streamlit-geospatial is a streamlit multipage app for geospatial applications. Prior to commit c4f81d9616d40c60584e36abb15300853a66e489, the `vis_params` variable on line 383 or line 390 in `pages/1_📷_Timelapse.py` takes user input, which is later used in the `eval()` function on line 395, leading to remote code execution. Commit c4f81d9616d40c60584e36abb15300853a66e489 fixes this issue.
Unauthenticated PHP Object Injection in Moderno < 1.43 versions.
streamlit-geospatial is a streamlit multipage app for geospatial applications. Prior to commit c4f81d9616d40c60584e36abb15300853a66e489, the `palette` variable on line 488 in `pages/1_📷_Timelapse.py` takes user input, which is later used in the `eval()` function on line 493, leading to remote code execution. Commit c4f81d9616d40c60584e36abb15300853a66e489 fixes this issue.
Unauthenticated PHP Object Injection in Hot Coffee <= 1.7 versions.
Deserialization of Untrusted Data vulnerability in mywebtonet PHP/MySQL CPU performance statistics mywebtonet-performancestats allows Object Injection.This issue affects PHP/MySQL CPU performance statistics: from n/a through <= 1.2.1.
Plataformatec Simple Form has Incorrect Access Control in file_method? in lib/simple_form/form_builder.rb, because a user-supplied string is invoked as a method call.
Pre-authentication deserialization of untrusted data vulnerability has been identified in the SMA1000 Appliance Management Console (AMC) and Central Management Console (CMC), which in specific conditions could potentially enable a remote unauthenticated attacker to execute arbitrary OS commands.
An issue was found in Docker before 1.6.0. Some programs and scripts in Docker are downloaded via HTTP and then executed or used in unsafe ways.
Uncontrolled deserialization of a pickled object in models.py in Frost Ming rediswrapper (aka Redis Wrapper) before 0.3.0 allows attackers to execute arbitrary scripts.
NVIDIA Triton Inference Server contains a vulnerability in the DALI backend where an attacker may cause an improper input validation issue. A successful exploit of this vulnerability may lead to code execution.