| CVE |
Vendors |
Products |
Updated |
CVSS v3.1 |
| Unauthenticated PHP Object Injection in EasyMeals <= 1.5.1 versions. |
| Unauthenticated PHP Object Injection in AI Lab < 5.4.2 versions. |
| Contributor PHP Object Injection in JetEngine <= 3.8.9.1 versions. |
| Unauthenticated PHP Object Injection in JetEngine <= 3.8.10 versions. |
| Quanos SCHEMA ST4 on-premises contains a local privilege escalation vulnerability in the Client Update Service due to insecure deserialization in the .NET Remoting service. The service is configured with TypeFilterLevel.Full and is bound to local interfaces only through named pipes. A local authenticated attacker can connect to the local named pipe, obtain the .NET Remoting endpoint, and send specially crafted serialized objects. Successful exploitation results in arbitrary code execution in the context of the update process with NT AUTHORITY\SYSTEM privileges. Network-only exploitation is not possible and local host access with an authenticated user session is required. |
| Subscriber PHP Object Injection in Entrepreneur - Booking for Small Businesses WordPress Theme <= 3.1.3 versions. |
| Unauthenticated PHP Object Injection in Alukas < 3.0.0 versions. |
| Unauthenticated PHP Object Injection in Eldon <= 1.4.1 versions. |
| Unauthenticated PHP Object Injection in Manufaktur Solutions <= 1.1.1 versions. |
| Unauthenticated PHP Object Injection in Moderno < 1.43 versions. |
| Deserialization of Untrusted Data vulnerability in Themeton Lagom allows Object Injection.
This issue affects Lagom: from n/a through 2.0. |
| Deserialization of Untrusted Data vulnerability in Themeton The Barber Shop allows Object Injection.
This issue affects The Barber Shop: from n/a through 1.9. |
| Deserialization of Untrusted Data vulnerability in EMV The Hospital nrghospital allows Object Injection.
This issue affects The Hospital: from n/a through 1.8.1. |
| Deserialization of Untrusted Data vulnerability in EMV Creatify allows Object Injection.
This issue affects Creatify: from n/a through 1.5. |
| NVIDIA Spatial Intelligence Lab's (SIL) GEN3C contains an unauthenticated remote code execution vulnerability in the inference API server where the /request-inference and /seed-model endpoints deserialize raw HTTP request bodies using Python's pickle.loads() without authentication or input validation. Attackers can supply a crafted payload containing a __reduce__ gadget to the inference API port to achieve remote code execution as the inference process. |
| The github_workflows module constructs local directory paths from user-controlled repository names without validating for symlinks. A local attacker sharing the scan directory can plant a symlink at the predictable output path, causing workflow data to be written to an attacker-chosen location. |
| GeoServer is an open source server that allows users to share and edit geospatial data. Prior to version 2.27.0 of the GeoServer DB2 DataStore Extension, an administrator can perform a JNDI attack through specially crafted DB2 jdbc url leading to to Remote Code Execution (RCE). Version 2.27.0 fixes the issue. |
| Spring Cloud Gateway Server forwards the X-Forwarded-For and Forwarded headers from untrusted proxies in certain configuration scenarios. This affects both the WebMVC and WebFlux Gateway Servers.
Affected versions:
Spring Cloud Gateway 3.1.x (fix 3.1.13).
Spring Cloud Gateway 4.1.x (fix 4.1.13).
Spring Cloud Gateway 4.2.x (fix 4.2.9).
Spring Cloud Gateway 4.3.x (fix 4.3.5).
Spring Cloud Gateway 5.0.x (fix 5.0.2). |
| A remote, unauthenticated attacker may exploit a deserialization of untrusted data vulnerability in ibaPDA or ibaDatCoordinator to gain full access to the affected systems. |
| Impact:
Undici's cache interceptor incorrectly classifies some responses as cacheable when the upstream Cache-Control header uses whitespace-padded qualified private or no-cache field names such as private=" authorization" or no-cache="\tauthorization". The parser preserves the surrounding whitespace, so later comparisons against the literal authorization field name fail and the response is stored.
In shared-cache mode, this allows a response containing one user's authenticated data to be served from cache to a subsequent caller, including an unauthenticated caller, when both requests resolve to the same cache key.
Affected applications are those that explicitly enable the cache interceptor (interceptors.cache()) in shared mode, forward Authorization headers upstream, and receive cacheable responses with non-canonical qualified private or no-cache directives.
Patches:
Upgrade to undici v7.28.0 or v8.5.0.
Workarounds:
If upgrade is not immediately possible, disable shared-cache mode for traffic that includes Authorization headers, avoid caching responses to authenticated requests, or add Vary: Authorization upstream. |