| CVE |
Vendors |
Products |
Updated |
CVSS v3.1 |
| Deserialization of Untrusted Data vulnerability in NooTheme Organici Library noo-organici-library allows Object Injection.This issue affects Organici Library: from n/a through <= 2.1.2. |
| Deserialization of Untrusted Data vulnerability in park_of_ideas Ricky ricky allows Object Injection.This issue affects Ricky: from n/a through < 2.31. |
| Deserialization of Untrusted Data vulnerability in NooTheme Visionary Core noo-visionary-core allows Object Injection.This issue affects Visionary Core: from n/a through <= 1.4.9. |
| Deserialization of Untrusted Data vulnerability in FantasticPlugins SUMO Affiliates Pro affs allows Object Injection.This issue affects SUMO Affiliates Pro: from n/a through < 11.4.0. |
| Deserialization of Untrusted Data vulnerability in NooTheme Jobica Core jobica-core allows Object Injection.This issue affects Jobica Core: from n/a through <= 1.4.1. |
| Deserialization of Untrusted Data vulnerability in park_of_ideas Goldish goldish allows Object Injection.This issue affects Goldish: from n/a through < 3.47. |
| In the Linux kernel, the following vulnerability has been resolved:
KVM: x86/mmu: Only WARN in direct MMUs when overwriting shadow-present SPTE
Adjust KVM's sanity check against overwriting a shadow-present SPTE with a
another SPTE with a different target PFN to only apply to direct MMUs,
i.e. only to MMUs without shadowed gPTEs. While it's impossible for KVM
to overwrite a shadow-present SPTE in response to a guest write, writes
from outside the scope of KVM, e.g. from host userspace, aren't detected
by KVM's write tracking and so can break KVM's shadow paging rules.
------------[ cut here ]------------
pfn != spte_to_pfn(*sptep)
WARNING: arch/x86/kvm/mmu/mmu.c:3069 at mmu_set_spte+0x1e4/0x440 [kvm], CPU#0: vmx_ept_stale_r/872
Modules linked in: kvm_intel kvm irqbypass
CPU: 0 UID: 1000 PID: 872 Comm: vmx_ept_stale_r Not tainted 7.0.0-rc2-eafebd2d2ab0-sink-vm #319 PREEMPT
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 0.0.0 02/06/2015
RIP: 0010:mmu_set_spte+0x1e4/0x440 [kvm]
Call Trace:
<TASK>
ept_page_fault+0x535/0x7f0 [kvm]
kvm_mmu_do_page_fault+0xee/0x1f0 [kvm]
kvm_mmu_page_fault+0x8d/0x620 [kvm]
vmx_handle_exit+0x18c/0x5a0 [kvm_intel]
kvm_arch_vcpu_ioctl_run+0xc55/0x1c20 [kvm]
kvm_vcpu_ioctl+0x2d5/0x980 [kvm]
__x64_sys_ioctl+0x8a/0xd0
do_syscall_64+0xb5/0x730
entry_SYSCALL_64_after_hwframe+0x4b/0x53
</TASK>
---[ end trace 0000000000000000 ]--- |
| Deserialization of untrusted data in Azure Monitor Agent allows an authorized attacker to elevate privileges locally. |
| Magento Long Term Support (LTS) is an unofficial, community-driven project provides an alternative to the Magento Community Edition e-commerce platform with a high level of backward compatibility. Prior to version 20.17.0, PHP functions such as `getimagesize()`, `file_exists()`, and `is_readable()` can trigger deserialization when processing `phar://` stream wrapper paths. OpenMage LTS uses these functions with potentially controllable file paths during image validation and media handling. An attacker who can upload a malicious phar file (disguised as an image) and trigger one of these functions with a `phar://` path can achieve arbitrary code execution. Version 20.17.0 patches the issue. |
| Deserialization of Untrusted Data vulnerability in shinetheme Traveler traveler allows Object Injection.This issue affects Traveler: from n/a through < 3.2.8.1. |
| Deserialization of Untrusted Data vulnerability in ThemeGoods Grand Wedding grandwedding allows Object Injection.This issue affects Grand Wedding: from n/a through < 3.1.11. |
| Deserialization of Untrusted Data vulnerability in universam UNIVERSAM universam-demo allows Object Injection.This issue affects UNIVERSAM: from n/a through <= 9.04.02. |
| Deserialization of Untrusted Data vulnerability in themesflat TF Woo Product Grid Addon For Elementor tf-woo-product-grid allows Object Injection.This issue affects TF Woo Product Grid Addon For Elementor: from n/a through <= 1.0.1. |
| Deserialization of Untrusted Data vulnerability in aThemeArt Translations eDS Responsive Menu eds-responsive-menu allows Object Injection.This issue affects eDS Responsive Menu: from n/a through <= 1.2. |
| Deserialization of Untrusted Data vulnerability in Rubel Miah Aitasi Coming Soon aitasi-coming-soon allows Object Injection.This issue affects Aitasi Coming Soon: from n/a through <= 2.0.2. |
| Deserialization of Untrusted Data vulnerability in awesomesupport Awesome Support awesome-support allows Object Injection.This issue affects Awesome Support: from n/a through <= 6.3.5. |
| Deserialization of Untrusted Data vulnerability in enituretechnology LTL Freight Quotes - TQL Edition ltl-freight-quotes-tql-edition allows Object Injection.This issue affects LTL Freight Quotes - TQL Edition: from n/a through <= 1.2.6. |
| Deserialization of Untrusted Data vulnerability in enituretechnology LTL Freight Quotes – Daylight Edition ltl-freight-quotes-daylight-edition allows Object Injection.This issue affects LTL Freight Quotes – Daylight Edition: from n/a through <= 2.2.7. |
| Deserialization of Untrusted Data vulnerability in enituretechnology LTL Freight Quotes – Day & Ross Edition ltl-freight-quotes-day-ross-edition allows Object Injection.This issue affects LTL Freight Quotes – Day & Ross Edition: from n/a through <= 2.1.11. |
| Deserialization of Untrusted Data vulnerability in enituretechnology Small Package Quotes – USPS Edition small-package-quotes-usps-edition allows Object Injection.This issue affects Small Package Quotes – USPS Edition: from n/a through <= 1.3.9. |
