CVE & Exploit Intelligence Database

CVE-2018-15425 4.7 MEDIUM EPSS 0.00

A vulnerability in the web-based management interface of Cisco Identity Services Engine (ISE) could allow an authenticated, remote attacker to execute arbitrary commands on the underlying operating system of an affected device with the privileges of the web server.

CWE-502 Oct 05, 2018

CVE-2018-16364 8.1 HIGH EPSS 0.02

A serialization vulnerability in Zoho ManageEngine Applications Manager before build 13740 allows for remote code execution on Windows via a payload on an SMB share.

CWE-502 Sep 26, 2018

CVE-2018-3972 9.8 CRITICAL EPSS 0.01

An exploitable code execution vulnerability exists in the Levin deserialization functionality of the Epee library, as used in Monero 'Lithium Luna' (v0.12.2.0-master-ffab6700) and other cryptocurrencies. A specially crafted network packet can cause a logic flaw, resulting in code execution. An attacker can send a packet to trigger this vulnerability.

CWE-502 Sep 26, 2018

CVE-2018-15965 9.8 CRITICAL EPSS 0.32

Adobe ColdFusion versions July 12 release (2018.0.0.310739), Update 6 and earlier, and Update 14 and earlier have a deserialization of untrusted data vulnerability. Successful exploitation could lead to arbitrary code execution.

CWE-502 Sep 25, 2018

CVE-2018-15959 9.8 CRITICAL EPSS 0.32

Adobe ColdFusion versions July 12 release (2018.0.0.310739), Update 6 and earlier, and Update 14 and earlier have a deserialization of untrusted data vulnerability. Successful exploitation could lead to arbitrary code execution.

CWE-502 Sep 25, 2018

CVE-2018-15958 9.8 CRITICAL EPSS 0.32

Adobe ColdFusion versions July 12 release (2018.0.0.310739), Update 6 and earlier, and Update 14 and earlier have a deserialization of untrusted data vulnerability. Successful exploitation could lead to arbitrary code execution.

CWE-502 Sep 25, 2018

CVE-2018-15957 9.8 CRITICAL EPSS 0.53

Adobe ColdFusion versions July 12 release (2018.0.0.310739), Update 6 and earlier, and Update 14 and earlier have a deserialization of untrusted data vulnerability. Successful exploitation could lead to arbitrary code execution.

CWE-502 Sep 25, 2018

CVE-2016-9045 8.8 HIGH EPSS 0.01

A code execution vulnerability exists in ProcessMaker Enterprise Core 3.0.1.7-community. A specially crafted web request can cause unsafe deserialization potentially resulting in PHP code being executed. An attacker can send a crafted web parameter to trigger this vulnerability.

CWE-502 Sep 17, 2018

CVE-2018-17057 9.8 CRITICAL 1 PoC Analysis EPSS 0.53

An issue was discovered in TCPDF before 6.2.22. Attackers can trigger deserialization of arbitrary data via the phar:// wrapper.

CWE-502 Sep 14, 2018

CVE-2016-0750 4.2 MEDIUM EPSS 0.01

The hotrod java client in infinispan before 9.1.0.Final automatically deserializes bytearray message contents in certain events. A malicious user could exploit this flaw by injecting a specially-crafted serialized object to attain remote code execution or conduct other attacks.

CWE-502 Sep 11, 2018

CVE-2018-1567 9.8 CRITICAL EPSS 0.01

IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 could allow remote attackers to execute arbitrary Java code through the SOAP connector with a serialized object from untrusted sources. IBM X-Force ID: 143024.

CWE-502 Sep 07, 2018

CVE-2018-10911 7.5 HIGH EPSS 0.05

A flaw was found in the way dic_unserialize function of glusterfs does not handle negative key length values. An attacker could use this flaw to read memory from other locations into the stored dict value.

CWE-190 Sep 04, 2018

CVE-2018-15514 8.8 HIGH EPSS 0.03

HandleRequestAsync in Docker for Windows before 18.06.0-ce-rc3-win68 (edge) and before 18.06.0-ce-win72 (stable) deserialized requests over the \\.\pipe\dockerBackend named pipe without verifying the validity of the deserialized .NET objects. This would allow a malicious user in the "docker-users" group (who may not otherwise have administrator access) to escalate to administrator privileges.

CWE-502 Sep 01, 2018

CVE-2018-10513 7.8 HIGH EPSS 0.00

A Deserialization of Untrusted Data Privilege Escalation vulnerability in Trend Micro Security 2018 (Consumer) products could allow a local attacker to escalate privileges on vulnerable installations. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit the vulnerability.

CWE-502 Aug 30, 2018

CVE-2018-15691 9.8 CRITICAL 1 PoC Analysis EPSS 0.43

Insecure deserialization of a specially crafted serialized object, in CA Release Automation 6.5 and earlier, allows attackers to potentially execute arbitrary code.

CWE-502 Aug 30, 2018

CVE-2018-14572 7.8 HIGH EPSS 0.01

In conference-scheduler-cli, a pickle.load call on imported data allows remote attackers to execute arbitrary code via a crafted .pickle file, as demonstrated by Python code that contains an os.system call.

CWE-78 Aug 28, 2018

CVE-2018-15576 8.1 HIGH 1 PoC Analysis EPSS 0.09

An issue was discovered in EasyLogin Pro through 1.3.0. Encryptor.php contains an unserialize call that can be exploited for remote code execution in the decrypt function, if the attacker knows the key.

CWE-502 Aug 24, 2018

CVE-2018-1999042 5.3 MEDIUM EPSS 0.00

A vulnerability exists in Jenkins 2.137 and earlier, 2.121.2 and earlier in XStream2.java that allows attackers to have Jenkins resolve a domain name when deserializing an instance of java.net.URL.

CWE-502 Aug 23, 2018

CVE-2018-1000641 9.8 CRITICAL EPSS 0.01

YesWiki version <= cercopitheque beta 1 contains a PHP Object Injection vulnerability in Unserialising user entered parameter in i18n.inc.php that can result in execution of code, disclosure of information.

CWE-502 Aug 20, 2018

CVE-2018-15503 7.5 HIGH 1 PoC 1 Writeup Analysis EPSS 0.01

The unpack implementation in Swoole version 4.0.4 lacks correct size checks in the deserialization process. An attacker can craft a serialized object to exploit this vulnerability and cause a SEGV.

CWE-502 Aug 18, 2018