CVE & Exploit Intelligence Database

CVE-2023-34347 9.8 CRITICAL EPSS 0.00

​Delta Electronics InfraSuite Device Master versions prior to 1.0.7 contains classes that cannot be deserialized, which could allow an attack to remotely execute arbitrary code.

CWE-502 Jul 10, 2023

CVE-2023-33008 5.3 MEDIUM EPSS 0.00

Deserialization of Untrusted Data vulnerability in Apache Software Foundation Apache Johnzon. A malicious attacker can craft up some JSON input that uses large numbers (numbers such as 1e20000000) that Apache Johnzon will deserialize into BigDecimal and maybe use numbers too large which may result in a slow conversion (Denial of service risk). Apache Johnzon 1.2.21 mitigates this by setting a scale limit of 1000 (by default) to the BigDecimal. This issue affects Apache Johnzon: through 1.2.20.

CWE-502 Jul 07, 2023

CVE-2023-28323 9.8 CRITICAL EPSS 0.08

A deserialization of untrusted data exists in EPM 2022 Su3 and all prior versions that allows an unauthenticated user to elevate rights. This exploit could potentially be used in conjunction with other OS (Operating System) vulnerabilities to escalate privileges on the machine or be used as a stepping stone to get to other network attached machines.

CWE-502 Jul 01, 2023

CVE-2023-31222 9.8 CRITICAL EPSS 0.29

Deserialization of untrusted data in Microsoft Messaging Queuing Service in Medtronic's Paceart Optima versions 1.11 and earlier on Windows allows an unauthorized user to impact a healthcare delivery organization’s Paceart Optima system cardiac device causing data to be deleted, stolen, or modified, or the Paceart Optima system being used for further network penetration via network connectivity.

CWE-502 Jun 29, 2023

CVE-2023-21209 6.7 MEDIUM EPSS 0.00

In multiple functions of sta_iface.cpp, there is a possible out of bounds read due to unsafe deserialization. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-13Android ID: A-262236273

CWE-502 Jun 28, 2023

CVE-2023-21206 4.4 MEDIUM EPSS 0.00

In initiateVenueUrlAnqpQueryInternal of sta_iface.cpp, there is a possible out of bounds read due to unsafe deserialization. This could lead to local information disclosure with System execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-13Android ID: A-262245630

CWE-502 Jun 28, 2023

CVE-2023-21205 5.5 MEDIUM EPSS 0.00

In startWpsPinDisplayInternal of sta_iface.cpp, there is a possible out of bounds read due to unsafe deserialization. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-13Android ID: A-262245376

CWE-502 Jun 28, 2023

CVE-2023-33299 9.8 CRITICAL EPSS 0.10

A deserialization of untrusted data in Fortinet FortiNAC below 7.2.1, below 9.4.3, below 9.2.8 and all earlier versions of 8.x allows attacker to execute unauthorized code or commands via specifically crafted request on inter-server communication port. Note FortiNAC versions 8.x will not be fixed.

CWE-502 Jun 23, 2023

CVE-2023-26436 7.1 HIGH EPSS 0.00

Attackers with access to the "documentconverterws" API were able to inject serialized Java objects, that were not properly checked during deserialization. Access to this API endpoint is restricted to local networks by default. Arbitrary code could be injected that is being executed when processing the request. A check has been introduced to restrict processing of legal and expected classes for this API. We now log a warning in case there are attempts to inject illegal classes. No publicly available exploits are known.

CWE-502 Jun 20, 2023

CVE-2023-35839 9.8 CRITICAL EPSS 0.00

A bypass in the component sofa-hessian of Solon before v2.3.3 allows attackers to execute arbitrary code via providing crafted payload.

CWE-502 Jun 19, 2023

CVE-2023-3308 5.5 MEDIUM EPSS 0.00

A vulnerability classified as problematic has been found in whaleal IceFrog 1.1.8. Affected is an unknown function of the component Aviator Template Engine. The manipulation leads to deserialization. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-231804.

CWE-502 Jun 18, 2023

CVE-2023-21124 7.8 HIGH EPSS 0.00

In run of multiple files, there is a possible escalation of privilege due to unsafe deserialization. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-11 Android-12 Android-12L Android-13Android ID: A-265798353

CWE-502 Jun 15, 2023

CVE-2023-32031 8.8 HIGH 1 PoC Analysis EPSS 0.45

Microsoft Exchange Server Remote Code Execution Vulnerability

CWE-502 Jun 14, 2023

CVE-2023-28310 8.0 HIGH 1 PoC EPSS 0.07

Microsoft Exchange Server Remote Code Execution Vulnerability

CWE-502 Jun 14, 2023

CVE-2023-3001 7.8 HIGH EPSS 0.03

A CWE-502: Deserialization of Untrusted Data vulnerability exists in the Dashboard module that could cause an interpretation of malicious payload data, potentially leading to remote code execution when an attacker gets the user to open a malicious file.

CWE-502 Jun 14, 2023

CVE-2023-3234 4.3 MEDIUM EPSS 0.00

A vulnerability was found in Zhong Bang CRMEB up to 4.6.0. It has been declared as problematic. Affected by this vulnerability is the function put_image of the file api/controller/v1/PublicController.php. The manipulation leads to deserialization. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-231505 was assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.

CWE-502 Jun 14, 2023

CVE-2023-3232 6.3 MEDIUM EPSS 0.00

A vulnerability was found in Zhong Bang CRMEB up to 4.6.0 and classified as critical. This issue affects some unknown processing of the file /api/wechat/app_auth of the component Image Upload. The manipulation leads to deserialization. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-231503. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.

CWE-502 Jun 14, 2023

CVE-2023-34212 6.5 MEDIUM 1 PoC Analysis EPSS 0.01

The JndiJmsConnectionFactoryProvider Controller Service, along with the ConsumeJMS and PublishJMS Processors, in Apache NiFi 1.8.0 through 1.21.0 allow an authenticated and authorized user to configure URL and library properties that enable deserialization of untrusted data from a remote location. The resolution validates the JNDI URL and restricts locations to a set of allowed schemes. You are recommended to upgrade to version 1.22.0 or later which fixes this issue.

CWE-502 Jun 12, 2023

CVE-2023-30262 8.8 HIGH EPSS 0.11

An issue found in MIM software Inc MIM License Server and MIMpacs services v.6.9 thru v.7.0 fixed in v.7.0.10 allows a remote unauthenticated attacker to execute arbitrary code via the RMI Registry service.

CWE-502 Jun 09, 2023

CVE-2023-33496 9.8 CRITICAL 1 Writeup EPSS 0.00

xxl-rpc v1.7.0 was discovered to contain a deserialization vulnerability via the component com.xxl.rpc.core.remoting.net.impl.netty.codec.NettyDecode#decode.

CWE-502 Jun 07, 2023