CWE-502— Deserialization of Untrusted Data
2,467 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-502page 5 of 50
- CVE-2019-11286CRITICALCVSS 9.1EG 9.12020-07-31
VMware GemFire versions prior to 9.10.0, 9.9.1, 9.8.5, and 9.7.5, and VMware Tanzu GemFire for VMs versions prior to 1.11.0, 1.10.1, 1.9.2, and 1.8.2, contain a JMX service available to the network which does not properly restrict input. A…
- CVE-2019-11458HIGHCVSS 7.5EG 7.52019-05-08
An issue was discovered in SmtpTransport in CakePHP 3.7.6. An unserialized object with modified internal properties can trigger arbitrary file overwriting upon destruction.
- CVE-2019-11666HIGHCVSS 8.8EG 8.82019-09-17
Insecure deserialization of untrusted data in Micro Focus Service Manager product versions 9.30, 9.31, 9.32, 9.33, 9.34, 9.35, 9.40, 9.41, 9.50, 9.51, 9.52, 9.60, 9.61, 9.62. The vulnerability could be exploited to allow insecure deseriali…
- CVE-2019-11830CRITICALCVSS 9.8EG 9.82019-05-09
PharMetaDataInterceptor in the PharStreamWrapper (aka phar-stream-wrapper) package 2.x before 2.1.1 and 3.x before 3.1.1 for TYPO3 mishandles Phar stub parsing, which allows attackers to bypass a deserialization protection mechanism.
- CVE-2019-11831CRITICALCVSS 9.8EG 9.82019-05-09
The PharStreamWrapper (aka phar-stream-wrapper) package 2.x before 2.1.1 and 3.x before 3.1.1 for TYPO3 does not prevent directory traversal, which allows attackers to bypass a deserialization protection mechanism, as demonstrated by a pha…
- CVE-2019-11944CRITICALCVSS 9.8EG 9.82019-06-05
A remote code execution vulnerability was identified in HPE Intelligent Management Center (IMC) PLAT earlier than version 7.3 E0506P09.
- CVE-2019-11945CRITICALCVSS 9.8EG 9.82019-06-05
A remote code execution vulnerability was identified in HPE Intelligent Management Center (IMC) PLAT earlier than version 7.3 E0506P09.
- CVE-2019-11950HIGHCVSS 8.8EG 8.82019-06-05
A remote code execution vulnerability was identified in HPE Intelligent Management Center (IMC) PLAT earlier than version 7.3 E0506P09.
- CVE-2019-11956HIGHCVSS 8.8EG 8.82019-06-05
A remote code execution vulnerability was identified in HPE Intelligent Management Center (IMC) PLAT earlier than version 7.3 E0506P09.
- CVE-2019-12017CRITICALCVSS 9.8EG 9.82019-10-24
A remote code execution vulnerability exists in MapR CLDB code, specifically in the JSON framework that is used in the CLDB code that handles login and ticket issuance. An attacker can use the 'class' property of the JSON request sent to t…
- CVE-2019-12086HIGHCVSS 7.5EG 7.52019-05-17
A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.x before 2.9.9. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint, the service has the mysql-connec…
- CVE-2019-12240CRITICALCVSS 9.8EG 9.82019-05-20
The Virim plugin 0.4 for WordPress allows Insecure Deserialization via s_values, t_values, or c_values in graph.php.
- CVE-2019-12241CRITICALCVSS 9.8EG 9.82019-05-20
The Carts Guru plugin 1.4.5 for WordPress allows Insecure Deserialization via a cartsguru-source cookie to classes/wc-cartsguru-event-handler.php.
- CVE-2019-12384MEDIUMCVSS 5.9EG 5.92019-06-24
FasterXML jackson-databind 2.x before 2.9.9.1 might allow attackers to have a variety of impacts by leveraging failure to block the logback-core class from polymorphic deserialization. Depending on the classpath content, remote code execut…
- CVE-2019-12630CRITICALCVSS 9.8EG 9.82019-10-02
A vulnerability in the Java deserialization function used by Cisco Security Manager could allow an unauthenticated, remote attacker to execute arbitrary commands on an affected device. The vulnerability is due to insecure deserialization o…
- CVE-2019-12747HIGHCVSS 8.8EG 8.82019-07-09
TYPO3 8.x through 8.7.26 and 9.x through 9.5.7 allows Deserialization of Untrusted Data.
- CVE-2019-12760LOWCVSS 3.3EG 7.52019-06-06
A deserialization vulnerability exists in the way parso through 0.4.0 handles grammar parsing from the cache. Cache loading relies on pickle and, provided that an evil pickle can be written to a cache grammar file and that its parsing can …
- CVE-2019-12799HIGHCVSS 8.8EG 8.82019-06-13
In createInstanceFromNamedArguments in Shopware through 5.6.x, a crafted web request can trigger a PHP object instantiation vulnerability, which can result in an arbitrary deserialization if the right class is instantiated. An attacker can…
- CVE-2019-12814MEDIUMCVSS 5.9EG 5.92019-06-19
A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.x through 2.9.9. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has JDOM 1.x or …
- CVE-2019-12868HIGHCVSS 7.2EG 7.22019-06-18
app/Model/Server.php in MISP 2.4.109 allows remote command execution by a super administrator because the PHP file_exists function is used with user-controlled entries, and phar:// URLs trigger deserialization.
- CVE-2019-13116CRITICALCVSS 9.8EG 9.82019-10-16
The MuleSoft Mule Community Edition runtime engine before 3.8 allows remote attackers to execute arbitrary code because of Java Deserialization, related to Apache Commons Collections
- CVE-2019-1373CRITICALCVSS 9.8EG 9.82019-11-12
A remote code execution vulnerability exists in Microsoft Exchange through the deserialization of metadata via PowerShell, aka 'Microsoft Exchange Remote Code Execution Vulnerability'.
- CVE-2019-14224HIGHCVSS 7.2EG 7.22019-09-05
An issue was discovered in Alfresco Community Edition 5.2 201707. By leveraging multiple components in the Alfresco Software applications, an exploit chain was observed that allows an attacker to achieve remote code execution on the victim…
- CVE-2019-14439HIGHCVSS 7.5EG 7.52019-07-30
A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.x before 2.9.9.2. This occurs when Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has…
- CVE-2019-14466MEDIUMCVSS 6.5EG 6.52019-12-31
The GOsa_Filter_Settings cookie in GONICUS GOsa 2.7.5.2 is vulnerable to PHP objection injection, which allows a remote authenticated attacker to perform file deletions (in the context of the user account that runs the web server) via a cr…
- CVE-2019-14540CRITICALCVSS 9.8EG 9.82019-09-15
A Polymorphic Typing issue was discovered in FasterXML jackson-databind before 2.9.10. It is related to com.zaxxer.hikari.HikariConfig.
- CVE-2019-14892CRITICALCVSS 9.8EG 9.82020-03-02
A flaw was discovered in jackson-databind in versions before 2.9.10, 2.8.11.5 and 2.6.7.3, where it would permit polymorphic deserialization of a malicious object using commons-configuration 1 and 2 JNDI classes. An attacker could use this…
- CVE-2019-14893CRITICALCVSS 9.8EG 9.82020-03-02
A flaw was discovered in FasterXML jackson-databind in all versions before 2.9.10 and 2.10.0, where it would permit polymorphic deserialization of malicious objects using the xalan JNDI gadget when used in conjunction with polymorphic type…
- CVE-2019-15271HIGHCVSS 8.8EG 9.0⚠ KEV2019-11-26
A vulnerability in the web-based management interface of certain Cisco Small Business RV Series Routers could allow an authenticated, remote attacker to execute arbitrary commands with root privileges. The attacker must have either a valid…
- CVE-2019-15319CRITICALCVSS 9.8EG 9.82019-08-22
The option-tree plugin before 2.7.0 for WordPress has Object Injection by leveraging a valid nonce.
- CVE-2019-15320CRITICALCVSS 9.8EG 9.82019-08-22
The option-tree plugin before 2.7.3 for WordPress has Object Injection because the + character is mishandled.
- CVE-2019-15321CRITICALCVSS 9.8EG 9.82019-08-22
The option-tree plugin before 2.7.3 for WordPress has Object Injection because serialized classes are mishandled.
- CVE-2019-15521CRITICALCVSS 9.8EG 9.82019-08-26
Spoon Library through 2014-02-06, as used in Fork CMS before 1.4.1 and other products, allows PHP object injection via a cookie containing an object.
- CVE-2019-15780CRITICALCVSS 9.8EG 9.82019-08-29
The formidable plugin before 4.02.01 for WordPress has unsafe deserialization.
- CVE-2019-16112HIGHCVSS 8.8EG 8.82020-05-13
TylerTech Eagle 2018.3.11 deserializes untrusted user input, resulting in remote code execution via a crafted Java object to the recorder/ServiceManager?service=tyler.empire.settings.SettingManager URI.
- CVE-2019-16317HIGHCVSS 8.8EG 8.82019-09-14
In Pimcore before 5.7.1, an attacker with limited privileges can trigger execution of a .phar file via a phar:// URL in a filename parameter, because PHAR uploads are not blocked and are reachable within the phar://../../../../../../../../…
- CVE-2019-16335CRITICALCVSS 9.8EG 9.82019-09-15
A Polymorphic Typing issue was discovered in FasterXML jackson-databind before 2.9.10. It is related to com.zaxxer.hikari.HikariDataSource. This is a different vulnerability than CVE-2019-14540.
- CVE-2019-16755CRITICALCVSS 9.8EG 9.82019-09-26
BMC Remedy ITSM Suite is prone to unspecified vulnerabilities in both DWP and SmartIT components, which can permit remote attackers to perform pre-authenticated remote commands execution on the Operating System running the targeted applica…
- CVE-2019-16774MEDIUMCVSS 4.4EG 4.42019-12-12
In phpfastcache before 5.1.3, there is a possible object injection vulnerability in cookie driver.
- CVE-2019-16891CRITICALCVSS 9.8EG 9.82019-10-04
Liferay Portal CE 6.2.5 allows remote command execution because of deserialization of a JSON payload.
- CVE-2019-16894CRITICALCVSS 9.8EG 9.82019-09-26
download.php in inoERP 4.15 allows SQL injection through insecure deserialization.
- CVE-2019-16942CRITICALCVSS 9.8EG 9.82019-10-01
A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.10. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the commo…
- CVE-2019-16943CRITICALCVSS 9.8EG 9.82019-10-01
A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.10. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the p6spy…
- CVE-2019-17076CRITICALCVSS 9.8EG 9.82020-01-08
An issue was discovered in Jamf Pro 9.x and 10.x before 10.15.1. Deserialization of untrusted data when parsing JSON in several APIs may cause Denial of Service (DoS), remote code execution (RCE), and/or deletion of files on the Jamf Pro s…
- CVE-2019-17080HIGHCVSS 7.8EG 7.82019-10-02
mintinstall (aka Software Manager) 7.9.9 for Linux Mint allows code execution if a REVIEWS_CACHE file is controlled by an attacker, because an unpickle occurs. This is resolved in 8.0.0 and backports.
- CVE-2019-17206CRITICALCVSS 9.8EG 9.82019-10-05
Uncontrolled deserialization of a pickled object in models.py in Frost Ming rediswrapper (aka Redis Wrapper) before 0.3.0 allows attackers to execute arbitrary scripts.
- CVE-2019-17267CRITICALCVSS 9.8EG 9.82019-10-07
A Polymorphic Typing issue was discovered in FasterXML jackson-databind before 2.9.10. It is related to net.sf.ehcache.hibernate.EhcacheJtaTransactionManagerLookup.
- CVE-2019-17358HIGHCVSS 8.1EG 8.12019-12-12
Cacti through 1.2.7 is affected by multiple instances of lib/functions.php unsafe deserialization of user-controlled data to populate arrays. An authenticated attacker could use this to influence object data values and control actions take…
- CVE-2019-17531CRITICALCVSS 9.8EG 9.82019-10-12
A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.10. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the apach…
- CVE-2019-17556CRITICALCVSS 9.8EG 9.82019-12-04
Apache Olingo versions 4.0.0 to 4.6.0 provide the AbstractService class, which is public API, uses ObjectInputStream and doesn't check classes being deserialized. If an attacker can feed malicious metadata to the class, then it may result …
Map vulnerabilities like CWE-502 to your infrastructure
EchelonGraph correlates every CVE — across CWE-502 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →