deserialization vulnerabilities and exploits

7.5
CVSSv3
CVE-2018-12022

An issue was discovered in FasterXML jackson-databind prior to 2.7.9.4, 2.8.11.2, and 2.9.6. When Default Typing is enabled (either globally or for a specific property), the service has the Jodd-db jar (for database access for the Jodd framework) in the classpath, and an...

7.5
CVSSv3
CVE-2017-11143

In PHP before 5.6.31, an invalid free in the WDDX deserialization of boolean parameters could be used by attackers able to inject XML for deserialization to crash the PHP interpreter, related to an invalid free for an empty boolean element in ext/wddx/wddx.c....

7.5
CVSSv3
CVE-2018-12023

An issue was discovered in FasterXML jackson-databind prior to 2.7.9.4, 2.8.11.2, and 2.9.6. When Default Typing is enabled (either globally or for a specific property), the service has the Oracle JDBC jar in the classpath, and an attacker can provide an LDAP service to access,...

NA
CVE-2019-16894

download.php in inoERP 4.15 allows SQL injection through insecure deserialization....

9.8
CVSSv3
CVE-2019-6503

There is a deserialization vulnerability in Chatopera cosin v3.10.0. An attacker can execute commands during server-side deserialization by uploading maliciously constructed files. This is related to the TemplateController.java impsave method and the MainUtils toObject method....

9.8
CVSSv3
CVE-2016-8736

Apache OpenMeetings before 3.1.2 is vulnerable to Remote Code Execution via RMI deserialization attack....

NA
CVE-2019-11666

Insecure deserialization of untrusted data in Micro Focus Service Manager product versions 9.30, 9.31, 9.32, 9.33, 9.34, 9.35, 9.40, 9.41, 9.50, 9.51, 9.52, 9.60, 9.61, 9.62. The vulnerability could be exploited to allow insecure deserialization of untrusted data....

NA
CVE-2015-6420

Serialized-object interfaces in certain Cisco Collaboration and Social Media; Endpoint Clients and Client Software; Network Application, Service, and Acceleration; Network and Content Security Devices; Network Management and Provisioning; Routing and Switching - Enterprise and...

ApacheCommons Collections
9.8
CVSSv3
CVE-2019-15780

The formidable plugin before 4.02.01 for WordPress has unsafe deserialization....

9.8
CVSSv3
CVE-2019-12240

The Virim plugin 0.4 for WordPress allows Insecure Deserialization via s_values, t_values, or c_values in graph.php....