CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities Related To CWE-502

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
1 CVE-2019-16317 502 2019-09-14 2019-09-17
6.5
None Remote Low Single system Partial Partial Partial
In Pimcore before 5.7.1, an attacker with limited privileges can trigger execution of a .phar file via a phar:// URL in a filename parameter, because PHAR uploads are not blocked and are reachable within the phar://../../../../../../../../var/www/html/web/var/assets/ directory, a different vulnerability than CVE-2019-10867 and CVE-2019-16318.
2 CVE-2019-15780 502 2019-08-29 2019-09-03
7.5
None Remote Low Not required Partial Partial Partial
The formidable plugin before 4.02.01 for WordPress has unsafe deserialization.
3 CVE-2019-15521 502 2019-08-26 2019-08-28
7.5
None Remote Low Not required Partial Partial Partial
Spoon Library through 2014-02-06, as used in Fork CMS before 1.4.1 and other products, allows PHP object injection via a cookie containing an object.
4 CVE-2019-12868 502 Exec Code 2019-06-17 2019-06-18
6.5
None Remote Low Single system Partial Partial Partial
app/Model/Server.php in MISP 2.4.109 allows remote command execution by a super administrator because the PHP file_exists function is used with user-controlled entries, and phar:// URLs trigger deserialization.
5 CVE-2019-12799 502 Exec Code Bypass 2019-06-13 2019-06-17
6.5
None Remote Low Single system Partial Partial Partial
In createInstanceFromNamedArguments in Shopware through 5.6.x, a crafted web request can trigger a PHP object instantiation vulnerability, which can result in an arbitrary deserialization if the right class is instantiated. An attacker can leverage this deserialization to achieve remote code execution. NOTE: this issue is a bypass for a CVE-2017-18357 whitelist patch.
6 CVE-2019-12760 502 Exec Code 2019-06-06 2019-07-05
6.0
None Remote Medium Single system Partial Partial Partial
** DISPUTED ** A deserialization vulnerability exists in the way parso through 0.4.0 handles grammar parsing from the cache. Cache loading relies on pickle and, provided that an evil pickle can be written to a cache grammar file and that its parsing can be triggered, this flaw leads to Arbitrary Code Execution. NOTE: This is disputed because "the cache directory is not under control of the attacker in any common configuration."
7 CVE-2019-12747 502 2019-07-09 2019-07-12
7.5
None Remote Low Not required Partial Partial Partial
TYPO3 8.x through 8.7.26 and 9.x through 9.5.7 allows Deserialization of Untrusted Data.
8 CVE-2019-12384 502 Exec Code 2019-06-24 2019-09-05
4.3
None Remote Medium Not required Partial None None
FasterXML jackson-databind 2.x before 2.9.9.1 might allow attackers to have a variety of impacts by leveraging failure to block the logback-core class from polymorphic deserialization. Depending on the classpath content, remote code execution may be possible.
9 CVE-2019-12241 502 2019-05-20 2019-05-27
7.5
None Remote Low Not required Partial Partial Partial
The Carts Guru plugin 1.4.5 for WordPress allows Insecure Deserialization via a cartsguru-source cookie to classes/wc-cartsguru-event-handler.php.
10 CVE-2019-12240 502 2019-05-20 2019-08-22
7.5
None Remote Low Not required Partial Partial Partial
The Virim plugin 0.4 for WordPress allows Insecure Deserialization via s_values, t_values, or c_values in graph.php.
11 CVE-2019-11956 502 Exec Code 2019-06-05 2019-06-07
9.0
None Remote Low Single system Complete Complete Complete
A remote code execution vulnerability was identified in HPE Intelligent Management Center (IMC) PLAT earlier than version 7.3 E0506P09.
12 CVE-2019-11950 502 Exec Code 2019-06-05 2019-06-06
9.0
None Remote Low Single system Complete Complete Complete
A remote code execution vulnerability was identified in HPE Intelligent Management Center (IMC) PLAT earlier than version 7.3 E0506P09.
13 CVE-2019-11830 502 Bypass 2019-05-09 2019-05-17
7.5
None Remote Low Not required Partial Partial Partial
PharMetaDataInterceptor in the PharStreamWrapper (aka phar-stream-wrapper) package 2.x before 2.1.1 and 3.x before 3.1.1 for TYPO3 mishandles Phar stub parsing, which allows attackers to bypass a deserialization protection mechanism.
14 CVE-2019-11080 502 Exec Code 2019-06-06 2019-06-13
9.0
None Remote Low Single system Complete Complete Complete
Sitecore Experience Platform (XP) prior to 9.1.1 is vulnerable to remote code execution via deserialization, aka TFS # 293863. An authenticated user with necessary permissions is able to remotely execute OS commands by sending a crafted serialized object.
15 CVE-2019-11030 502 Exec Code 2019-08-22 2019-08-30
10.0
None Remote Low Not required Complete Complete Complete
Mirasys VMS before V7.6.1 and 8.x before V8.3.2 mishandles the Mirasys.Common.Utils.Security.DataCrypt method in Common.dll in AuditTrailService in SMServer.exe. This method triggers insecure deserialization within the .NET garbage collector, in which a gadget (contained in a serialized object) may be executed with SYSTEM privileges. The attacker must properly encrypt the object; however, the hardcoded keys are available.
16 CVE-2019-11011 502 Exec Code 2019-06-21 2019-06-23
7.5
None Remote Low Not required Partial Partial Partial
Akamai CloudTest before 58.30 allows remote code execution.
17 CVE-2019-10912 502 2019-05-16 2019-07-12
6.5
None Remote Low Single system Partial Partial Partial
In Symfony before 2.8.50, 3.x before 3.4.26, 4.x before 4.1.12, and 4.2.x before 4.2.7, it is possible to cache objects that may contain bad user input. On serialization or unserialization, this could result in the deletion of files that the current user has access to. This is related to symfony/cache and symfony/phpunit-bridge.
18 CVE-2019-10867 502 2019-04-04 2019-05-03
6.5
None Remote Low Single system Partial Partial Partial
An issue was discovered in Pimcore before 5.7.1. An attacker with classes permission can send a POST request to /admin/class/bulk-commit, which will make it possible to exploit the unserialize function when passing untrusted values in the data parameter to bundles/AdminBundle/Controller/Admin/DataObject/ClassController.php.
19 CVE-2019-10173 502 2019-07-23 2019-08-05
7.5
None Remote Low Not required Partial Partial Partial
It was found that xstream API version 1.4.10 before 1.4.11 introduced a regression for a previous deserialization flaw. If the security framework has not been initialized, it may allow a remote attacker to run arbitrary shell commands when unmarshalling XML or any supported format. e.g. JSON. (regression of CVE-2013-7285)
20 CVE-2019-10086 502 2019-08-20 2019-09-02
7.5
None Remote Low Not required Partial Partial Partial
In Apache Commons Beanutils 1.9.2, a special BeanIntrospector class was added which allows suppressing the ability for an attacker to access the classloader via the class property available on all Java objects. We, however were not using this by default characteristic of the PropertyUtilsBean.
21 CVE-2019-10069 502 Exec Code 2019-05-31 2019-06-03
7.5
None Remote Low Not required Partial Partial Partial
In Godot through 3.1, remote code execution is possible due to the deserialization policy not being applied correctly.
22 CVE-2019-10068 502 Exec Code Bypass 2019-03-26 2019-04-01
7.5
None Remote Low Not required Partial Partial Partial
An issue was discovered in Kentico before 12.0.15. Due to a failure to validate security headers, it was possible for a specially crafted request to the staging service to bypass the initial authentication and proceed to deserialize user-controlled .NET object input. This deserialization then led to unauthenticated remote code execution on the server where the Kentico instance was hosted.
23 CVE-2019-9875 502 Exec Code CSRF 2019-05-31 2019-06-03
6.5
None Remote Low Single system Partial Partial Partial
Deserialization of Untrusted Data in the anti CSRF module in Sitecore through 9.1 allows an authenticated attacker to execute arbitrary code by sending a serialized .NET object in an HTTP POST parameter.
24 CVE-2019-9874 502 Exec Code CSRF 2019-05-31 2019-06-03
7.5
None Remote Low Not required Partial Partial Partial
Deserialization of Untrusted Data in the Sitecore.Security.AntiCSRF (aka anti CSRF) module in Sitecore CMS 7.0 to 7.2 and Sitecore XP 7.5 to 8.2 allows an unauthenticated attacker to execute arbitrary code by sending a serialized .NET object in the HTTP POST parameter __CSRFTOKEN.
25 CVE-2019-7840 502 Exec Code 2019-06-12 2019-06-14
10.0
None Remote Low Not required Complete Complete Complete
ColdFusion versions Update 3 and earlier, Update 10 and earlier, and Update 18 and earlier have a deserialization of untrusted data vulnerability. Successful exploitation could lead to arbitrary code execution.
26 CVE-2019-7361 502 Exec Code 2019-04-09 2019-04-11
6.8
None Remote Medium Not required Partial Partial Partial
An attacker may convince a victim to open a malicious action micro (.actm) file that has serialized data, which may trigger a code execution in Autodesk Advance Steel 2018, Autodesk AutoCAD 2018, Autodesk AutoCAD Architecture 2018, Autodesk AutoCAD Electrical 2018, Autodesk AutoCAD Map 3D 2018, Autodesk AutoCAD Mechanical 2018, Autodesk AutoCAD MEP 2018, Autodesk AutoCAD P&ID 2018, Autodesk AutoCAD Plant 3D 2018, Autodesk AutoCAD LT 2018, and Autodesk Civil 3D 2018.
27 CVE-2019-7091 502 Exec Code 2019-05-24 2019-05-28
10.0
None Remote Low Not required Complete Complete Complete
ColdFusion versions Update 1 and earlier, Update 7 and earlier, and Update 15 and earlier have a deserialization of untrusted data vulnerability. Successful exploitation could lead to arbitrary code execution.
28 CVE-2019-6980 502 2019-05-29 2019-05-30
7.5
None Remote Low Not required Partial Partial Partial
Synacor Zimbra Collaboration Suite 8.7.x through 8.8.11 allows insecure object deserialization in the IMAP component.
29 CVE-2019-6446 502 Exec Code 2019-01-16 2019-05-10
7.5
None Remote Low Not required Partial Partial Partial
** DISPUTED ** An issue was discovered in NumPy 1.16.0 and earlier. It uses the pickle Python module unsafely, which allows remote attackers to execute arbitrary code via a crafted serialized object, as demonstrated by a numpy.load call. NOTE: third parties dispute this issue because it is a behavior that might have legitimate applications in (for example) loading serialized Python object arrays from trusted and authenticated sources.
30 CVE-2019-5434 502 2019-05-06 2019-05-09
7.5
None Remote Low Not required Partial Partial Partial
An attacker could send a specifically crafted payload to the XML-RPC invocation script and trigger the unserialize() call on the "what" parameter in the "openads.spc" RPC method. Such vulnerability could be used to perform various types of attacks, e.g. exploit serialize-related PHP vulnerabilities or PHP object injection. It is possible, although unconfirmed, that the vulnerability has been used by some attackers in order to gain access to some Revive Adserver instances and deliver malware through them to third party websites. This vulnerability was addressed in version 4.2.0.
31 CVE-2019-5350 502 Exec Code 2019-06-05 2019-06-06
9.0
None Remote Low Single system Complete Complete Complete
A remote code execution vulnerability was identified in HPE Intelligent Management Center (IMC) PLAT earlier than version 7.3 E0506P09.
32 CVE-2019-5069 502 Exec Code 2019-09-05 2019-09-06
6.5
None Remote Low Single system Partial Partial Partial
A code execution vulnerability exists in Epignosis eFront LMS v5.2.12. A specially crafted web request can cause unsafe deserialization potentially resulting in PHP code being executed. An attacker can send a crafted web parameter to trigger this vulnerability.
33 CVE-2019-4279 502 Exec Code 2019-05-17 2019-05-24
10.0
None Remote Low Not required Complete Complete Complete
IBM WebSphere Application Server 8.5 and 9.0 could allow a remote attacker to execute arbitrary code on the system with a specially-crafted sequence of serialized objects from untrusted sources. IBM X-Force ID: 160445.
34 CVE-2019-0305 502 2019-06-12 2019-06-14
4.3
None Remote Medium Not required None Partial None
Java Server Pages (JSPs) provided by the SAP NetWeaver Process Integration (SAP_XIESR and SAP_XITOOL: 7.10 to 7.11, 7.20, 7.30, 7.31, 7.40, 7.50) do not restrict or incorrectly restrict frame objects or UI layers that belong to another application or domain, resulting in Clickjacking vulnerability. Successful exploitation of this vulnerability leads to unwanted modification of user's data.
35 CVE-2019-0195 502 2019-09-16 2019-09-17
7.5
None Remote Low Not required Partial Partial Partial
Manipulating classpath asset file URLs, an attacker could guess the path to a known file in the classpath and have it downloaded. If the attacker found the file with the value of the tapestry.hmac-passphrase configuration symbol, most probably the webapp's AppModule class, the value of this symbol could be used to craft a Java deserialization attack, thus running malicious injected Java code. The vector would be the t:formdata parameter from the Form component.
36 CVE-2019-0192 502 Exec Code 2019-03-07 2019-07-23
7.5
None Remote Low Not required Partial Partial Partial
In Apache Solr versions 5.0.0 to 5.5.5 and 6.0.0 to 6.6.5, the Config API allows to configure the JMX server via an HTTP POST request. By pointing it to a malicious RMI server, an attacker could take advantage of Solr's unsafe deserialization to trigger remote code execution on the Solr side.
37 CVE-2019-0189 502 Exec Code 2019-09-11 2019-09-13
7.5
None Remote Low Not required Partial Partial Partial
The java.io.ObjectInputStream is known to cause Java serialisation issues. This issue here is exposed by the "webtools/control/httpService" URL, and uses Java deserialization to perform code execution. In the HttpEngine, the value of the request parameter "serviceContext" is passed to the "deserialize" method of "XmlSerializer". Apache Ofbiz is affected via two different dependencies: "commons-beanutils" and an out-dated version of "commons-fileupload" Mitigation: Upgrade to 16.11.06 or manually apply the commits from OFBIZ-10770 and OFBIZ-10837 on branch 16
38 CVE-2018-1999042 502 2018-08-23 2019-05-08
5.0
None Remote Low Not required Partial None None
A vulnerability exists in Jenkins 2.137 and earlier, 2.121.2 and earlier in XStream2.java that allows attackers to have Jenkins resolve a domain name when deserializing an instance of java.net.URL.
39 CVE-2018-1000861 502 Exec Code 2018-12-10 2019-05-08
10.0
None Remote Low Not required Complete Complete Complete
A code execution vulnerability exists in the Stapler web framework used by Jenkins 2.153 and earlier, LTS 2.138.3 and earlier in stapler/core/src/main/java/org/kohsuke/stapler/MetaClass.java that allows attackers to invoke some methods on Java objects by accessing crafted URLs that were not intended to be invoked this way.
40 CVE-2018-1000613 502 Exec Code 2018-07-09 2019-04-23
7.5
None Remote Low Not required Partial Partial Partial
Legion of the Bouncy Castle Legion of the Bouncy Castle Java Cryptography APIs 1.58 up to but not including 1.60 contains a CWE-470: Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection') vulnerability in XMSS/XMSS^MT private key deserialization that can result in Deserializing an XMSS/XMSS^MT private key can result in the execution of unexpected code. This attack appear to be exploitable via A handcrafted private key can include references to unexpected classes which will be picked up from the class path for the executing application. This vulnerability appears to have been fixed in 1.60 and later.
41 CVE-2018-1000224 502 Overflow 2018-08-20 2018-10-31
5.0
None Remote Low Not required None None Partial
Godot Engine version All versions prior to 2.1.5, all 3.0 versions prior to 3.0.6. contains a Signed/unsigned comparison, wrong buffer size chackes, integer overflow, missing padding initialization vulnerability in (De)Serialization functions (core/io/marshalls.cpp) that can result in DoS (packet of death), possible leak of uninitialized memory. This attack appear to be exploitable via A malformed packet is received over the network by a Godot application that uses built-in serialization (e.g. game server, or game client). Could be triggered by multiplayer opponent. This vulnerability appears to have been fixed in 2.1.5, 3.0.6, master branch after commit feaf03421dda0213382b51aff07bd5a96b29487b.
42 CVE-2018-1000210 502 Exec Code 2018-07-13 2018-09-11
6.8
None Remote Medium Not required Partial Partial Partial
YamlDotNet version 4.3.2 and earlier contains a Insecure Direct Object Reference vulnerability in The default behavior of Deserializer.Deserialize() will deserialize user-controlled types in the line "currentType = Type.GetType(nodeEvent.Tag.Substring(1), throwOnError: false);" and blindly instantiates them. that can result in Code execution in the context of the running process. This attack appear to be exploitable via Victim must parse a specially-crafted YAML file. This vulnerability appears to have been fixed in 5.0.0.
43 CVE-2018-1000167 502 Exec Code 2018-04-18 2018-05-22
9.3
None Remote Medium Not required Complete Complete Complete
OISF suricata-update version 1.0.0a1 contains an Insecure Deserialization vulnerability in the insecure yaml.load-Function as used in the following files: config.py:136, config.py:142, sources.py:99 and sources.py:131. The "list-sources"-command is affected by this bug. that can result in Remote Code Execution(even as root if suricata-update is called by root). This attack appears to be exploitable via a specially crafted yaml-file at https://www.openinfosecfoundation.org/rules/index.yaml. This vulnerability appears to have been fixed in 1.0.0b1.
44 CVE-2018-1000074 502 Exec Code 2018-03-13 2019-05-20
6.8
None Remote Medium Not required Partial Partial Partial
RubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3 series: 2.3.6 and earlier, Ruby 2.4 series: 2.4.3 and earlier, Ruby 2.5 series: 2.5.0 and earlier, prior to trunk revision 62422 contains a Deserialization of Untrusted Data vulnerability in owner command that can result in code execution. This attack appear to be exploitable via victim must run the `gem owner` command on a gem with a specially crafted YAML file. This vulnerability appears to have been fixed in 2.7.6.
45 CVE-2018-1000058 502 Exec Code 2018-02-09 2018-03-06
6.5
None Remote Low Single system Partial Partial Partial
Jenkins Pipeline: Supporting APIs Plugin 2.17 and earlier have an arbitrary code execution due to incomplete sandbox protection: Methods related to Java deserialization like readResolve implemented in Pipeline scripts were not subject to sandbox protection, and could therefore execute arbitrary code. This could be exploited e.g. by regular Jenkins users with the permission to configure Pipelines in Jenkins, or by trusted committers to repositories containing Jenkinsfiles.
46 CVE-2018-1000048 502 Exec Code 2018-02-09 2018-03-01
6.8
None Remote Medium Not required Partial Partial Partial
NASA RtRetrievalFramework version v1.0 contains a CWE-502 vulnerability in Data retrieval functionality of RtRetrieval framework that can result in remote code execution. This attack appear to be exploitable via Victim tries to retrieve and process a weather data file.
47 CVE-2018-1000047 502 Exec Code 2018-02-09 2018-03-01
6.8
None Remote Medium Not required Partial Partial Partial
NASA Kodiak version v1.0 contains a CWE-502 vulnerability in Kodiak library's data processing function that can result in remote code execution. This attack appear to be exploitable via Victim opens an untrusted file for optimization using Kodiak library.
48 CVE-2018-1000046 502 Exec Code 2018-02-09 2018-03-01
6.8
None Remote Medium Not required Partial Partial Partial
NASA Pyblock version v1.0 - v1.3 contains a CWE-502 vulnerability in Radar data parsing library that can result in remote code execution. This attack appear to be exploitable via Victim opening a specially crafted radar data file. This vulnerability appears to have been fixed in v1.4.
49 CVE-2018-1000045 502 Exec Code 2018-02-09 2018-03-01
6.8
None Remote Medium Not required Partial Partial Partial
NASA Singledop version v1.0 contains a CWE-502 vulnerability in NASA Singledop library (Weather data) that can result in remote code execution. This attack appear to be exploitable via Victim opening a specially crafted radar data file. This vulnerability appears to have been fixed in v1.1.
50 CVE-2018-20993 502 2019-08-26 2019-08-28
5.0
None Remote Low Not required None None Partial
An issue was discovered in the yaml-rust crate before 0.4.1 for Rust. There is uncontrolled recursion during deserialization.
Total number of vulnerabilities : 224   Page : 1 (This Page)2 3 4 5
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.