CVE & Exploit Intelligence Database

CVE-2025-21364 7.8 HIGH EPSS 0.00

Microsoft Excel Security Feature Bypass Vulnerability

CWE-502 Jan 14, 2025

CVE-2025-0465 7.3 HIGH EPSS 0.00

A vulnerability was found in AquilaCMS 1.412.13. It has been rated as critical. Affected by this issue is some unknown functionality of the file /api/v2/categories. The manipulation of the argument PostBody.populate leads to deserialization. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

CWE-502 Jan 14, 2025

CVE-2024-13163 7.8 HIGH EPSS 0.23

Deserialization of untrusted data in Ivanti EPM before the 2024 January-2025 Security Update and 2022 SU6 January-2025 Security Update allows a remote unauthenticated attacker to achieve remote code execution. Local user interaction is required.

CWE-502 Jan 14, 2025

CVE-2025-22777 9.8 CRITICAL 2 PoCs Analysis EPSS 0.01

Deserialization of Untrusted Data vulnerability in GiveWP GiveWP allows Object Injection.This issue affects GiveWP: from n/a through 3.19.3.

CWE-502 Jan 13, 2025

CVE-2024-12877 9.8 CRITICAL EXPLOITED 2 PoCs Analysis EPSS 0.28

The GiveWP – Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 3.19.2 via deserialization of untrusted input from the donation form like 'firstName'. This makes it possible for unauthenticated attackers to inject a PHP Object. The additional presence of a POP chain allows attackers to delete arbitrary files on the server that makes remote code execution possible. Please note this was only partially patched in 3.19.3, a fully sufficient patch was not released until 3.19.4. However, another CVE was assigned by another CNA for version 3.19.3 so we will leave this as affecting 3.19.2 and before. We have recommended the vendor use JSON encoding to prevent any further deserialization vulnerabilities from being present.

CWE-502 Jan 11, 2025

CVE-2024-12627 7.5 HIGH EPSS 0.01

The Coupon X: Discount Pop Up, Promo Code Pop Ups, Announcement Pop Up, WooCommerce Popups plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.3.5 via deserialization of untrusted input from post content passed to the capture_email AJAX action. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject a PHP Object. No known POP chain is present in the vulnerable software. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code.

CWE-502 Jan 11, 2025

CVE-2024-13297 6.6 MEDIUM EPSS 0.01

Deserialization of Untrusted Data vulnerability in Drupal Eloqua allows Object Injection.This issue affects Eloqua: from 7.X-* before 7.X-1.15.

CWE-502 Jan 09, 2025

CVE-2024-13296 6.6 MEDIUM EPSS 0.00

Deserialization of Untrusted Data vulnerability in Drupal Mailjet allows Object Injection.This issue affects Mailjet: from 0.0.0 before 4.0.1.

CWE-502 Jan 09, 2025

CVE-2024-13295 6.6 MEDIUM EPSS 0.00

Deserialization of Untrusted Data vulnerability in Drupal Node export allows Object Injection.This issue affects Node export: from 7.X-* before 7.X-3.3.

CWE-502 Jan 09, 2025

CVE-2024-13288 4.3 MEDIUM EPSS 0.00

Deserialization of Untrusted Data vulnerability in Drupal Monster Menus allows Object Injection.This issue affects Monster Menus: from 0.0.0 before 9.3.4, from 9.4.0 before 9.4.2.

CWE-502 Jan 09, 2025

CVE-2025-22510 7.2 HIGH 1 PoC Analysis EPSS 0.14

Deserialization of Untrusted Data vulnerability in Konrad Karpieszuk WC Price History for Omnibus allows Object Injection.This issue affects WC Price History for Omnibus: from n/a through 2.1.4.

CWE-502 Jan 09, 2025

CVE-2023-27531 5.3 MEDIUM EPSS 0.00

There is a deserialization of untrusted data vulnerability in the Kredis JSON deserialization code

CWE-502 Jan 09, 2025

CVE-2024-54676 9.8 CRITICAL EPSS 0.06

Vendor: The Apache Software Foundation Versions Affected: Apache OpenMeetings from 2.1.0 before 8.0.0 Description: Default clustering instructions at https://openmeetings.apache.org/Clustering.html  doesn't specify white/black lists for OpenJPA this leads to possible deserialisation of untrusted data. Users are recommended to upgrade to version 8.0.0 and update their startup scripts to include the relevant 'openjpa.serialization.class.blacklist' and 'openjpa.serialization.class.whitelist' configurations as shown in the documentation.

CWE-502 Jan 08, 2025

CVE-2022-45185 8.8 HIGH 1 Writeup EPSS 0.00

An issue was discovered in SuiteCRM 7.12.7. Authenticated users can use CRM functions to upload malicious files. Then, deserialization can be used to achieve code execution.

CWE-502 Jan 07, 2025

CVE-2024-55555 8.8 HIGH 2 PoCs Analysis EPSS 0.39

Invoice Ninja before 5.10.43 allows remote code execution from a pre-authenticated route when an attacker knows the APP_KEY. This is exacerbated by .env files, available from the product's repository, that have default APP_KEY values. The route/{hash} route defined in the invoiceninja/routes/client.php file can be accessed without authentication. The parameter {hash} is passed to the function decrypt that expects a Laravel ciphered value containing a serialized object. (Furthermore, Laravel contains several gadget chains usable to trigger remote command execution from arbitrary deserialization.) Therefore, an attacker in possession of the APP_KEY is able to fully control a string passed to an unserialize function.

CWE-502 Jan 07, 2025

CVE-2024-55556 9.8 CRITICAL 1 PoC Analysis NUCLEI EPSS 0.79

A vulnerability in Crater Invoice allows an unauthenticated attacker with knowledge of the APP_KEY to achieve remote command execution on the server by manipulating the laravel_session cookie, exploiting arbitrary deserialization through the encrypted session data. The exploitation vector of this vulnerability relies on an attacker obtaining Laravel's secret APP_KEY, which would allow them to decrypt and manipulate session cookies (laravel_session) containing serialized data. By altering this data and re-encrypting it with the APP_KEY, the attacker could trigger arbitrary deserialization on the server, potentially leading to remote command execution (RCE). The vulnerability is primarily exploited by accessing an exposed cookie and manipulating it using the secret key to gain malicious access to the server.

CWE-502 Jan 07, 2025

CVE-2024-56291 8.1 HIGH EPSS 0.01

Deserialization of Untrusted Data vulnerability in plainware.com PlainInventory allows Object Injection.This issue affects PlainInventory: from n/a through 3.1.6.

CWE-502 Jan 07, 2025

CVE-2024-56283 8.1 HIGH EPSS 0.01

Deserialization of Untrusted Data vulnerability in plainware.com Locatoraid Store Locator allows Object Injection.This issue affects Locatoraid Store Locator: from n/a through 3.9.50.

CWE-502 Jan 07, 2025

CVE-2024-49222 9.8 CRITICAL EPSS 0.01

Deserialization of Untrusted Data vulnerability in Amento Tech Pvt ltd WPGuppy allows Object Injection.This issue affects WPGuppy: from n/a through 1.1.0.

CWE-502 Jan 07, 2025

CVE-2024-12313 8.1 HIGH EPSS 0.02

The Compare Products for WooCommerce plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 3.2.1 via deserialization of untrusted input from the 'woo_compare_list' cookie. This makes it possible for unauthenticated attackers to inject a PHP Object. No known POP chain is present in the vulnerable software. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code.

CWE-502 Jan 07, 2025