GFI Archiver Core Service Deserialization of Untrusted Data Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of GFI Archiver. Authentication is required to exploit this vulnerability. The specific flaw exists within the Core Service, which listens on TCP port 8017 by default. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code in the context of SYSTEM. Was ZDI-CAN-24029.
GFI Archiver Store Service Deserialization of Untrusted Data Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of GFI Archiver. Authentication is required to exploit this vulnerability. The specific flaw exists within the Store Service, which listens on TCP port 8018 by default. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code in the context of SYSTEM. Was ZDI-CAN-24331.
An issue was discovered in GFI Kerio Connect 9.4.1 patch 1 (fixed in 10.0.0). There is a stack-based Buffer Overflow in the webmail component's 2FASetup function via an authenticated request with a long primaryEMailAddress field to the webmail/api/jsonrpc URI.
GFI MailEssentials prior to version 21.8 is vulnerable to a local privilege escalation issue. A local attacker can escalate to NT Authority/SYSTEM by sending a crafted serialized payload to a .NET Remoting Service.
Hessian serialization is a network protocol that supports object-based transmission. Apache Cayenne's optional Remote Object Persistence (ROP) feature is a web services-based technology that provides object persistence and query functionality to 'remote' applications. In Apache Cayenne 4.1 and earlier, running on non-current patch versions of Java, an attacker with client access to Cayenne ROP can transmit a malicious payload to any vulnerable third-party dependency on the server. This can result in arbitrary code execution.
The Download Manager plugin for WordPress is vulnerable to deserialization of untrusted input via the 'file[package_dir]' parameter in versions up to, and including 3.2.49. This makes it possible for authenticated attackers with contributor privileges and above to call files using a PHAR wrapper that will deserialize the data and call arbitrary PHP Objects that can be used to perform a variety of malicious actions granted a POP chain is also present. It also requires that the attacker is successful in uploading a file with the serialized payload.
When handler-router component is enabled in servicecomb-java-chassis, authenticated user may inject some data and cause arbitrary code execution. The problem happens in versions between 2.0.0 ~ 2.1.3 and fixed in Apache ServiceComb-Java-Chassis 2.1.5
The Booking Calendar plugin for WordPress is vulnerable to PHP Object Injection via the [bookingflextimeline] shortcode in versions up to, and including, 9.1. This could be exploited by subscriber-level users and above to call arbitrary PHP objects on a vulnerable site.
A flaw was found where some utility classes in Drools core did not use proper safeguards when deserializing data. This flaw allows an authenticated attacker to construct malicious serialized objects (usually called gadgets) and achieve code execution on the server.
JFrog Artifactory before 7.36.1 and 6.23.41, is vulnerable to Insecure Deserialization of untrusted data which can lead to DoS, Privilege Escalation and Remote Code Execution when a specially crafted request is sent by a low privileged authenticated user due to insufficient validation of a user-provided serialized object.
Microsoft SQL Server Remote Code Execution Vulnerability
Jenkins SCM Filter Jervis Plugin 0.2.1 and earlier does not configure its YAML parser to prevent the instantiation of arbitrary types, resulting in a remote code execution vulnerability.
The Friends plugin for WordPress is vulnerable to PHP Object Injection in version 3.5.1 via deserialization of untrusted input of the query_vars parameter This makes it possible for authenticated attackers, with subscriber-level access and above, to inject a PHP Object. No known POP chain is present in the vulnerable software, which means this vulnerability has no impact unless another plugin or theme containing a POP chain is installed on the site. If a POP chain is present via an additional plugin or theme installed on the target system, it may allow the attacker to perform actions like delete arbitrary files, retrieve sensitive data, or execute code depending on the POP chain present. This requires access to the sites SALT_NONCE and and SALT_KEY to exploit.
Sagemcom F@ST 5280 routers using firmware version 1.150.61 have insecure deserialization that allows any authenticated user to perform a privilege escalation to any other user. By making a request with valid sess_id, nonce, and ha1 values inside of the serialized session cookie, an attacker may alter the user value inside of this cookie, and assume the role and permissions of the user specified. By assuming the role of the user internal, which is inaccessible to end users by default, the attacker gains the permissions of the internal account, which includes the ability to flash custom firmware to the router, allowing the attacker to achieve a complete compromise.
Deserialization of untrusted data in Web Deploy allows an authorized attacker to execute code over a network.
An unrestricted file upload vulnerability exists in Ivanti Avalanche before 6.3.3 allows an attacker with access to the Inforail Service to write dangerous files.
Deserialization of Untrusted Data vulnerability in PickPlugins Post Grid and Gutenberg Blocks allows Object Injection. This issue affects Post Grid and Gutenberg Blocks: from n/a through 2.3.11.
Deserialization of Untrusted Data vulnerability in rascals Noisa allows Object Injection. This issue affects Noisa: from n/a through 2.6.0.
Deserialization of Untrusted Data vulnerability in designthemes Red Art allows Object Injection. This issue affects Red Art: from n/a through 3.7.
Deserialization of Untrusted Data vulnerability in uxper Nuss allows Object Injection. This issue affects Nuss: from n/a through 1.3.3.
Deserialization of Untrusted Data vulnerability in uxper Sala allows Object Injection. This issue affects Sala: from n/a through 1.1.3.
Deserialization of Untrusted Data vulnerability in Arraytics Eventin allows Object Injection. This issue affects Eventin: from n/a through 4.0.31.
Deserialization of untrusted data in Microsoft Office SharePoint allows an authorized attacker to execute code over a network.
XStream is a simple library to serialize objects to XML and back again. In affected versions this vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. A user is only affected if using the version out of the box with JDK 1.7u21 or below. However, this scenario can be adjusted easily to an external Xalan that works regardless of the version of the Java runtime. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses no longer a blacklist by default, since it cannot be secured for general purpose.
Version 3.3.23 of the Sassy Social Share WordPress plugin is vulnerable to PHP Object Injection via the wp_ajax_heateor_sss_import_config AJAX action due to deserialization of unvalidated user supplied inputs via the import_config function found in the ~/admin/class-sassy-social-share-admin.php file. This can be exploited by underprivileged authenticated users due to a missing capability check on the import_config function.
parlai is a framework for training and evaluating AI models on a variety of openly available dialogue datasets. In affected versions the package is vulnerable to YAML deserialization attack caused by unsafe loading which leads to Arbitary code execution. This security bug is patched by avoiding unsafe loader users should update to version above v1.1.0. If upgrading is not possible then users can change the Loader used to SafeLoader as a workaround. See commit 507d066ef432ea27d3e201da08009872a2f37725 for details.
Rundeck is an open source automation service with a web console, command line tools and a WebAPI. Prior to version 3.3.14 and version 3.4.3, an authorized user can upload a zip-format plugin with a crafted plugin.yaml, or a crafted aclpolicy yaml file, or upload an untrusted project archive with a crafted aclpolicy yaml file, that can cause the server to run untrusted code on Rundeck Community or Enterprise Edition. An authenticated user can make a POST request, that can cause the server to run untrusted code on Rundeck Enterprise Edition. The zip-format plugin issues requires authentication and authorization to these access levels, and affects all Rundeck editions:`admin` level access to the `system` resource type. The ACL Policy yaml file upload issues requires authentication and authorization to these access levels, and affects all Rundeck editions: `create` `update` or `admin` level access to a `project_acl` resource, and/or`create` `update` or `admin` level access to the `system_acl` resource. The unauthorized POST request requires authentication, but no specific authorization, and affects Rundeck Enterprise only. Patches are available in versions 3.4.3, 3.3.14
In the server in SerNet verinice before 1.22.2, insecure Java deserialization allows remote authenticated attackers to execute arbitrary code.
Deserialization of Untrusted Data in the Web Console Chart Endpoint can lead to remote code execution. An unauthorized attacker who has network access to the Orion Patch Manager Web Console could potentially exploit this and compromise the server
Insecure Deserialization of untrusted data remote code execution vulnerability was discovered in Patch Manager Orion Platform Integration module. An Authenticated Attacker with network access via HTTP can compromise this vulnerability can result in Remote Code Execution.
Deserialization of untrusted data in multiple functions in MIK.starlight 7.9.5.24363 allows authenticated remote attackers to execute operating system commands by crafting serialized objects.
This vulnerability allows remote attackers to execute arbitrary code on affected installations of Orckestra C1 CMS 6.10. Authentication is required to exploit this vulnerability. The specific flaw exists within Composite.dll. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code in the context of the service account. Was ZDI-CAN-14740.
Deserialization of Untrusted Data vulnerability in Codexpert, Inc WC Affiliate allows Object Injection. This issue affects WC Affiliate: from n/a through 2.9.1.
XStream is software for serializing Java objects to XML and back again. A vulnerability in XStream versions prior to 1.4.17 may allow a remote attacker has sufficient rights to execute commands of the host only by manipulating the processed input stream. No user who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types is affected. The vulnerability is patched in version 1.4.17.
Ratpack is a toolkit for creating web applications. In versions prior to 1.9.0, a malicious attacker can achieve Remote Code Execution (RCE) via a maliciously crafted Java deserialization gadget chain leveraged against the Ratpack session store. If one's application does not use Ratpack's session mechanism, it is not vulnerable. Ratpack 1.9.0 introduces a strict allow-list mechanism that mitigates this vulnerability when used. Two possible workarounds exist. The simplest mitigation for users of earlier versions is to reduce the likelihood of attackers being able to write to the session data store. Alternatively or additionally, the allow-list mechanism could be manually back ported by providing an alternative implementation of `SessionSerializer` that uses an allow-list.
In Splunk Enterprise versions below 8.2.9, 8.1.12, and 9.0.2, an authenticated user can run arbitrary operating system commands remotely through the use of specially crafted requests to the mobile alerts feature in the Splunk Secure Gateway app.
A remote insecure deserialization vulnerability was discovered in Aruba AirWave Management Platform version(s) prior to 8.2.12.1. Aruba has released patches for AirWave Management Platform that address this security vulnerability.
Deserialization of untrusted data in Microsoft Office SharePoint allows an authorized attacker to execute code over a network.
The bt_bb_get_grid AJAX action of the Bold Page Builder WordPress plugin before 3.1.6 passes user input into the unserialize() function without any validation or sanitisation, which could lead to a PHP Object Injection. Even though the plugin did not contain a suitable gadget to fully exploit the issue, other installed plugins on the blog could allow such issue to be exploited and lead to RCE in some cases.
The All in One SEO – Best WordPress SEO Plugin – Easily Improve Your SEO Rankings before 4.1.0.2 enables authenticated users with "aioseo_tools_settings" privilege (most of the time admin) to execute arbitrary code on the underlying host. Users can restore plugin's configuration by uploading a backup .ini file in the section "Tool > Import/Export". However, the plugin attempts to unserialize values of the .ini file. Moreover, the plugin embeds Monolog library which can be used to craft a gadget chain and thus trigger system command execution.
Microsoft SharePoint Remote Code Execution Vulnerability
Deserialization of untrusted data in Microsoft Office SharePoint allows an authorized attacker to execute code over a network.
Jenkins Code Coverage API Plugin 1.4.0 and earlier does not apply Jenkins JEP-200 deserialization protection to Java objects it deserializes from disk, resulting in a remote code execution vulnerability.
OneDev is an all-in-one devops platform. In OneDev before version 4.0.3, the application's BasePage registers an AJAX event listener (`AbstractPostAjaxBehavior`) in all pages other than the login page. This listener decodes and deserializes the `data` query parameter. We can access this listener by submitting a POST request to any page. This issue may lead to `post-auth RCE` This endpoint is subject to authentication and, therefore, requires a valid user to carry on the attack. This issue was addressed in 4.0.3 by encrypting serialization payload with secrets only known to server.
PHP object injection in the Ajax endpoint of the backend in ForkCMS below version 5.8.3 allows an authenticated remote user to execute malicious code.
The Vimeography: Vimeo Video Gallery WordPress Plugin plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 2.3.2 via deserialization of untrusted input via the vimeography_duplicate_gallery_serialized in the duplicate_gallery function. This makes it possible for authenticated attackers attackers, with contributor access or higher, to inject a PHP Object. No POP chain is present in the vulnerable plugin. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code.
Jenkins RadarGun Plugin 1.7 and earlier does not configure its YAML parser to prevent the instantiation of arbitrary types, resulting in a remote code execution vulnerability.
Jenkins Yaml Axis Plugin 0.2.0 and earlier does not configure its YAML parser to prevent the instantiation of arbitrary types, resulting in a remote code execution vulnerability.
The Slider Revolution WordPress plugin before 6.6.19 does not prevent users with at least the Author role from unserializing arbitrary content when importing sliders, potentially leading to Remote Code Execution.
Jenkins AWS SAM Plugin 1.2.2 and earlier does not configure its YAML parser to prevent the instantiation of arbitrary types, resulting in a remote code execution vulnerability.