| Date | Vendor | Product | Versions | Description | References | Credits |
|---|---|---|---|---|---|---|
|
2024-04-22 |
Newforma |
Project Center Server |
<= latest/2023.3.0.32259 (not fixed) |
Insecure .NET Remoting |
CVE-2024-32499 |
|
|
2024-02-19 |
Salesforce |
Tableau Server |
latest version (won't fix) |
SSRF & NetNTLM Leaks |
||
|
2023-12-19 |
GANZ Security (CBC Group) |
AI BOX |
< 100378 |
Authentication Bypass |
||
|
2023-12-19 |
Netavis Software GmbH |
CCTV with Observer |
~ 4.6.8 (not fixed) |
Pre-Authenticated XXE |
n/a |
|
|
2023-12-14 |
Hitachi Ventara |
Pentaho Business Analytics Server |
8.x , < 9.5.0.1 , < 9.3.0.5 |
JNDI Injection |
CVE-2023-3517 https://support.pentaho.com/hc... |
|
|
2023-12-12 |
Janitza |
GridVis |
< 9.0.67 |
Authenticated Remote Code Execution |
CVE-2023-50895 |
|
|
2023-12-12 |
Janitza |
GridVis |
< 9.0.67 |
Hard-Coded Encryption Password Allows for Authenticated Leak of Cleartext Database Credentials |
CVE-2023-50894 |
|
|
2023-11-29 |
Indu-Sol GmbH |
PROFINET-INspector NT |
< 2.4.1 |
Unauthenticated Arbitrary File Write as Root |
CVE-2023-49960 |
|
|
2023-11-29 |
Indu-Sol GmbH |
PROFINET-INspector NT |
< 2.4.1 |
Unauthenticated OS Command Injection |
CVE-2023-49959 |
|
|
2023-11-14 |
Microsoft |
ASP.NET |
< November 2023 |
Security Feature Bypass Vulnerability |
CVE-2023-36560 |
|
|
2023-10-10 |
Microsoft |
Skype for Business Server |
< Skype for Business Server 2019 CU7 and Skype for Business Server 2015 CU13 |
Unauthenticated Server-side Request Forgery |
https://msrc.microsoft.com/upd... https://frycos.github.io/vulns... |
|
|
2023-07-26 |
Ivanti |
Ivanti Desktop and Server Management |
< DSM 2022.2 SU3 |
Local Privilege Escalation |
CVE-2023-28129 https://forums.ivanti.com/s/ar... |
|
|
2023-07-15 |
OneVision Software AG |
Workspace |
< v.WS22.1 SR1 (build w29.032) , < v.WS22.2 SR3 (build w30.044) < v.WS23.1 SR1 (build w31.040) |
Arbitrary Java EL Execution |
CVE-2023-42404 |
|
|
2023-07-11 |
Microsoft |
SharePoint |
< July 2023 |
|
CVE-2023-33160 https://code-white.com/blog/ex... |
|
|
2023-06-19 |
Developer Express, Inc |
DevExpress |
< 23.1.3 , < 22.2.6 , < 22.2.3 , < 22.1.9 , < 22.1.7 , < 21.2.12 |
Data Source Protection Bypass During XML Deserialization |
CVE-2023-35815 https://supportcenter.devexpre... https://supportcenter.devexpre... |
|
|
2023-06-19 |
Sitecore |
Experience Manager, Experience Platform, and Experience Commerce |
< 10.3 |
Exposed Dangerous Method or Function |
CVE-2023-35813 https://support.sitecore.com/k... https://code-white.com/blog/ex... |
|
|
2023-06-19 |
Developer Express, Inc |
DevExpress |
< 23.1.3 , < 22.2.6 , < 22.2.3 , < 22.1.9 , < 22.1.7 , < 21.2.12 |
Insecure Arbitrary TypeConverter Conversion |
CVE-2023-35816 https://supportcenter.devexpre... https://supportcenter.devexpre... |
|
|
2023-06-19 |
Developer Express, Inc |
DevExpress |
< 23.1.3 , < 22.2.6 , < 22.2.3 , < 22.1.9 , < 22.1.7 , < 21.2.12 |
Missing Protection of XtraReport Serialized Data in ASP.NET Web Forms |
CVE-2023-35814 https://supportcenter.devexpre... https://supportcenter.devexpre... https://supportcenter.devexpre... |
|
|
2023-06-19 |
Developer Express, Inc |
DevExpress |
< 23.1.3 , < 22.2.6 , < 22.2.3 , < 22.1.9 , < 22.1.7 , < 21.2.12 |
Server-Side Request Forgery Via AsyncDownloader |
CVE-2023-35817 https://supportcenter.devexpre... https://supportcenter.devexpre... https://supportcenter.devexpre... |
|
|
2023-05-24 |
Hitachi Ventara |
Pentaho Business Analytics Server |
< 9.3.0.3 , < 9.4.0.1 |
Deserialization of Untrusted Data |
CVE-2022-4815 https://support.pentaho.com/hc... |
|
|
2023-04-14 |
MCL Technologies |
MCL-Net |
< 4.6 |
Unauthenticated Arbitrary File Read as SYSTEM |
||
|
2023-03-02 |
Fortinet |
FortiNAC |
< 9.4.3/4 |
Multiple Vulnerabilities (Unauthenticated) |
CVE-2023-33299 https://www.fortiguard.com/psi... CVE-2023-33300 https://www.fortiguard.com/psi... |
|
|
2023-02-20 |
Technicolor |
TG670 DSL gateway router |
<= 10.5.N.9 |
Hard-coded Administrative Credentials |
CVE-2023-31808 https://www.kb.cert.org/vuls/i... |
|
|
2023-02-02 |
Fortra |
GoAnywhere MFT |
< 7.1.2 |
Unauthenticated Remote Code Execution |
CVE-2023-0669 https://frycos.github.io/vulns... |
|
|
2023-01-18 |
Docmosis |
Tornado Server |
< 2.9.5 |
Multiple Vulnerabilities |
CVE-2023-25264 CVE-2023-25265 CVE-2023-25266 https://frycos.github.io/vulns... |
|
|
2022-11-23 |
pgAdmin |
pgAdmin Web (Windows) |
<= 6.16 |
Unauthenticated Remote Code Execution |
CVE-2022-4223 https://www.pgadmin.org/docs/p... |
|
|
2022-11-09 |
Sophos |
Sophos Mobile |
5.0.0 <= 9.7.4 |
Unauthenticated XXE |
CVE-2022-3980 https://www.sophos.com/en-us/s... |
|
|
2022-10-10 |
Apache |
Apache Archiva |
latest version (won't fix) |
Unauthorized User Registration |
n/a |
|
|
2022-09-09 |
GFI Software |
Kerio Connect |
9.4.0 <= 9.4.2 |
Low-Priv User Stack Buffer Overflow in 2FA |
CVE-2023-25267 |
|
|
2022-07-26 |
ConnectWise |
R1Soft Server Backup Manager |
<= v6.16.3 |
Authentication Bypass |
||
|
2022-07-12 |
innovaphone AG |
App Platform AP Manager |
<= 13r2 sr17 |
Authenticated Command Injection |
CVE-2022-41870 http://wiki.innovaphone.com/in... |
|
|
2022-07-12 |
SEPPmail AG |
SEPPmail Appliance |
<= 12.1.17 |
Authenticated Command Injection |
CVE-2022-41871 |
|
|
2022-06-28 |
Moxa |
EDR-810 Series |
not fixed yet |
Authenticated Command Injection |
n/a |
|
|
2022-06-28 |
Moxa |
TN-5916 NAT Router |
not fixed yet |
Authenticated Command Injection |
n/a |
|
|
2022-06-28 |
Moxa |
TN-5916 NAT Router |
not fixed yet |
Authentication Bypass |
n/a |
|
|
2022-06-09 |
SmarterTools |
SmarterStats |
< 8195 |
Unauthenticated Remode Code Execution in gRPC Interfaces |
||
|
2022-06-03 |
PTC Group |
Windchill PDMLink |
not fixed yet |
Vulnerable RMI Call |
||
|
2022-05-10 |
Potix Corporation |
ZK Framework |
< 9.6.2 |
|
CVE-2022-36537 https://tracker.zkoss.org/brow... |
|
|
2022-02-14 |
3CX |
Phone Management System |
< 18 Update 3 |
Unauthenticated Remote Code Execution |
CVE-2022-28005 CVE-2022-48483 CVE-2022-48482 https://www.3cx.com/blog/relea... |
|
|
2022-02-08 |
HPE |
StoreEver ESL G3 Tape Library |
not fixed (EoL) |
Unauthenticated Remote Code Execution |
n/a |
|
|
2022-01-20 |
Citrix |
Citrix ADM |
13.0 before 13.0-85.19 and 13.1 before 13.1-21.53 |
Authentication Bypass (Unauthenticated Root Password Reset) |
CVE-2022-27511 https://support.citrix.com/art... |
|
|
2022-01-20 |
Citrix |
Citrix ADM |
13.0 before 13.0-85.19 and 13.1 before 13.1-21.53 |
Unauthenticated Service Shutdown |
CVE-2022-27512 https://support.citrix.com/art... |
|
|
2022-01-10 |
Act! LLC. |
ACT! CRM |
reported , status unknown |
Unauthenticated Remote Code Execution |
||
|
2021-12-15 |
Microsoft |
Exchange 2013/2016/2019 |
Prior Patch Day January 2022 |
Deserialization Protection Bypass |
CVE-2022-21969 https://msrc.microsoft.com/upd... |
|
|
2021-11-04 |
IBM |
ADMIRA/AREMA |
not fixed |
Unauthenticated Remote Code Execution |
n/a |
|
|
2021-10-25 |
PikeTec |
TPT |
< 15u5 , < 16u4 |
Unauthenticated Remote Code Execution |
https://files.piketec.com/down... https://files.piketec.com/down... |
|
|
2021-10-21 |
TIBCO |
TIBCO JasperReports Server |
<= 7.9.0 |
Authenticated XXE |
CVE-2021-35496 https://www.tibco.com/support/... |
|
|
2021-10-01 |
UserScape, Inc |
HelpSpot |
<= 5.0.92 |
Unauthenticated RCE via Unsafe Cookie Deserialization |
|
|
|
2021-09-21 |
Jedox GmbH |
Jedox |
< 2021.3 |
(Un)Authenticated Remote Code Execution |
||
|
2021-09-14 |
Siemens |
Cerberus DSM, Desigo CC, Desigo CC Compact |
|
.NET Deserialization |
CVE-2021-37181 |
|
|
2021-08-03 |
Pageflex |
Storefront |
|
Arbitrary File Reading via Hard-coded Crypto Key |
|
|
|
2021-07-28 |
Lobster |
Lobster AdminConsole |
|
RCE via Arbitrary Class Execution |
|
|
|
2021-06-18 |
Aternity |
Aternity Agent |
< 12.1.3.95 |
Local Privilege Escalation to SYSTEM |
||
|
2021-04-30 |
Citrix |
ShareFile StorageZone Controller |
< 5.11.20 |
Path Traversal |
CVE-2021-22941 https://support.citrix.com/art... |
|
|
2021-01-15 |
Veeam |
Backup & Replication |
< 10.0.1.4854 P20210609 , < 11.0.0.837 P20210507 |
.NET Deserialization via .NET Remoting |
CVE-2021-35971 |
|
|
2020-12-08 |
Cisco |
Security Manager |
<= 4.23 |
Several Unauthenticated Remote Code Executions, File Reads and Writes |
CVE-2020-27130 CVE-2020-27131 CVE-2020,27125 https://tools.cisco.com/securi... https://tools.cisco.com/securi... https://tools.cisco.com/securi... |
|
|
2020-09-09 |
Eonic |
Protean CMS |
< 6.0.42.6 |
Various vulnerabilities (file read, file write, SQL injection, XSL transformation, DataSet deserialization) |
https://github.com/Eonic/Prote... https://github.com/Eonic/Prote... https://github.com/Eonic/Prote... |
|
|
2020-09-02 |
SparxSystems |
WebConfig |
<= 4.1.43 |
LFI leads to RCE |
|
|
|
2020-07-13 |
Sophos |
Firewall XG |
|
SQL Injection |
CVE-2020-15504 |
|
|
2020-05-11 |
Oracle |
WebLogic Server |
14.1.1 |
Java Deserialization |
CVE-2020-14644 CVE-2020-14645 CVE-2020-14687 |
|
|
2020-04-29 |
Pivotal |
Spring Web MVC |
|
Arbitrary File Read |
|
|
|
2020-04-17 |
SmarterTools Inc. |
SmarterStats |
< 7422 |
Unauthenticated Remote Code Execution via .NET Remoting |
||
|
2020-04-16 |
Dell |
Dell VxRail |
4.7.410/4.7.411/4.7.510 |
Unauthenticated access to encrypted administration credentials |
CVE-2020-5368 https://www.dell.com/support/k... |
|
|
2020-04-15 |
The OpenNMS Group |
OpenNMS |
< 26.0.1 |
Authenticated Remote Code Execution via unsecure Java deserialization |
CVE-2020-12760 https://issues.opennms.org/bro... |
|
|
2020-04-15 |
Zoho Corporation |
ManageEngine ADManager Plus, ManageEngine Cloud Security Plus, ManageEngine Log360, ManageEngine ADAudit Plus, ManageEngine DataSecurity Plus, ManageEngine O365 Manager Plus, ManageEngine RecoveryManager Plus, ManageEngine EventLog Analyzer |
< 7055 < 4110 < 5166 < 6052 < 6033 < 4334 < 6017 < 12136 |
Unauthenticated change of system configuration via unprotected Java servlets. |
CVE-2020-24786 https://medium.com/p/another-z... |
|
|
2020-04-08 |
HP |
HPE Insight Systems Manager |
<= 7.6 (unpatched) |
Unauthenticated Remote Code Execution via unsecure Java deserialization |
||
|
2020-04-06 |
Ivanti |
Avalanche Data Repository Service |
SQL Injection |
6.2.2 <= 6.3.1 |
||
|
2020-03-20 |
Liferay |
Portal |
6.x , 7.x |
Java Deserialization |
CST-7111 CST-7205 CVE-2020-7961 |
|
|
2020-03-17 |
Progress |
Telerik UI for Silverlight |
|
Arbitrary File Upload |
CVE-2020-11414 https://knowledgebase.progress... |
|
|
2020-03-09 |
SAP |
Netweaver |
7.10 , 7.11 , 7.30 , 7.31 , 7.40 , 7.50 |
Missing Authorization Check in SAP NetWeaver AS JAVA (MigrationService) |
CVE-2021-21481 https://wiki.scn.sap.com/wiki/... |
|
|
2020-02-27 |
SmarterTools |
SmarterMail |
15.7.6970 |
|
||
|
2020-02-10 |
FortiNet |
FortiSIEM |
|
Java Deserialization |
|
|
|
2020-01-17 |
Atoss |
ASES |
|
Authentication Bypass, Path Traversal |
|
|
|
2020-01-08 |
Progress |
Telerik MVC |
|
Path Traversal |
|
|
|
2019-11-27 |
Károly Pados |
TinyWall |
< 2.1.13 |
Privilege escalation via unsecure .NET deserialization and Process Spoofing. |
CVE-2019-19470 https://code-white.com/blog/20... |
|
|
2019-11-21 |
Sage |
300 People |
|
Java Deserialization |
|
|
|
2019-10-18 |
Orckestra Technologies Inc. |
C1 CMS |
< 6.7 |
Authenticated Remote Code Execution via unsecure .NET deserialization. |
CVE-2019-18211 https://github.com/Orckestra/C... https://medium.com/@frycos/yet... |
|
|
2019-10-09 |
Zoho Corporation |
ManageEngine OpManager |
< 12.4 |
Unauthenticated SQL-Injection via unprotected Java servlet |
CVE-2019-17602 https://medium.com/@frycos/fin... |
|
|
2019-10-01 |
Progress |
Telerik UI for Ajax ASP.NET |
|
Mitigation Bypass |
|
|
|
2019-08-27 |
myLittleTools |
myLittleAdmin |
3.8 |
.NET Deserialization |
|
|
|
2019-08-26 |
MailEnable Pty. Ltd |
MailEnable |
|
Path Traversal, Unauthenticated Socks5 Proxy |
|
|
|
2019-07-25 |
cPanel Inc. |
cpanel-dovecot-solr |
|
Java Deserialization |
n/a |
|
|
2019-07-22 |
FTAPI |
FTAPI |
< 4.6.3 |
Authenticated Remote Code Execution via unsecure Java deserialization |
https://www.ftapi.com/Release-... see Version 4.6.3 |
|
|
2019-06-04 |
Absorb LMS |
|
.NET Deserialization |
|
||
|
2019-05-17 |
Oracle |
Secure Global Desktop |
5.40-901 |
Java Deserialization |
|
|
|
2019-03-27 |
IBM |
IBM ServRAID |
all versions |
Unauthenticated Remote Code Execution via unprotected RMI-Registry. |
n/a |
|
|
2019-02-12 |
SmarterTools |
SmarterMail |
15.x |
XXE in SyncML, XXE in Keyoti RapidSpell |
|
|
|
2019-02-07 |
CribMaster |
CribMaster |
|
.NET Deserialization |
|
|
|
2019-02-07 |
Progress |
Telerik UI for Ajax ASP.NET |
|
.NET Deserialization |
CVE-2019-18935 |
|
|
2019-01-14 |
Developer Express Inc. |
DevExpress |
< 13.1.13 , < 13.2.14 , < 14.1.14 , < 14.2.16 , < 15.1.14 , < 15.2.18 , < 16.1.16 , < 16.2.14 , < 17.1.14 , < 17.2.12 , < 18.1.9 , < 18.2.6 |
.NET Deserialization |
T706639 |
|
|
2018-12-04 |
ILIAS |
ILIAS |
< 4.4.5? |
Authenticated file system data exfiltration via SOAP webservice. |
Probably https://docu.ilias.de/ilias.ph... |
|
|
2018-11-13 |
Avast Business |
Managed Workplace RMM |
|
.NET Deserialization |
CVE-2019-18935 |
|
|
2018-05-30 |
RedHat |
RichFaces |
4.x |
EL Injection |
RF-14309 CVE-2018-12532 |
|
|
2018-05-30 |
RedHat |
RichFaces |
3.x |
EL Injection |
RF-14310 CVE-2018-12533 |
|
|
2018-04-23 |
Genuine Channels |
|
.NET Deserialization |
|
||
|
2018-04-13 |
GWT |
|
Java Deserialization |
|
||
|
2018-02-22 |
TMW Systems |
|
.NET Deserialization |
|
||
|
2017-08-17 |
Tufin |
|
El Injection |
|
||
|
2017-05-17 |
SAP |
P4 |
|
Java Deserialization |
|
|
|
2017-04-04 |
HPE |
|
Java Deserialization |
|
||
|
2017-04-04 |
Atlassian |
Jira |
4.2.4-6.3.0 |
Java Deserialization |
VU#307983 CVE-2017-5983 |
|
|
2017-04-04 |
Pivotal |
Spring Flex |
|
Java Deserialization |
VU#307983 CVE-2017-3203 |
|
|
2017-04-04 |
GraniteDS |
3.1.1.GA |
Java Deserialization, JavaBeans Setter |
VU#307983 CVE-2017-3199 CVE-2017-3200 |
||
|
2017-04-04 |
Exadel |
Flamingo amf-serializer |
2.2.0 |
Java Deserialization, JavaBeans Setter, XXE |
VU#307983 CVE-2017-3201 CVE-2017-3202 CVE-2017-3206 |
|
|
2017-04-04 |
Adobe/Apache |
Flex BlazeDS |
4.7.2 |
Java Deserialization, JavaBeans Setter, XXE |
VU#307983 CVE-2017-5641 CVE-2015-3269 |
|
|
2017-04-04 |
Midnight Coders |
WebORB for Java |
5.1.1.0 |
Java Deserialization ,XXE |
VU#307983 CVE-2017-3207 CVE-2017-3208 |
|
|
2016-11-25 |
ezPublish |
|
Arbitrary File Upload |
EZP-26659 |
||
|
2016-10-05 |
ezPublish |
|
SQL Injection |
EZP-26405 |
||
|
2016-09-16 |
Code42 Software |
CrashPlan PROe |
3.6.2.1 |
Java Deserialization |
none |
|
|
2016-05-25 |
HP |
Service Manager |
9.40 |
CVE-2016-1998 |
||
|
2016-03-24 |
CommVault Systems |
Edge Server |
11 SP3 |
SQL Injection, Path Traversal, JSP File Inclusion |
|
|
|
2016-03-17 |
Oracle |
Hyperion |
|
Java Deserialization |
CVE-2016-3493 |
|
|
2016-02-22 |
Symantec |
Endpoint Protection |
11 |
|
|
|
|
2016-01-05 |
CommVault Systems |
Edge Server |
11 Build 80 |
Arbitrary File Upload/Download |
|
|
|
2015-12-18 |
HP |
Service Manager |
9.40 |
Java Deserialization, XXE |
CVE-2016-1998 CVE-2016-4371 |
|
|
2015-12-09 |
Oracle |
Weblogic JMS Client |
|
Java Deserialization |
CVE-2016-0638 |
|
|
2015-12-08 |
IBM |
WebSphere MQ JMS Client |
|
Java Deserialization |
CVE-2016-0360 |
|
|
2015-11-16 |
Symantec |
Endpoint Protection Manager |
|
Command Injection |
CVE-2015-6555 |
|
|
2015-11-16 |
Symantec |
Endpoint Protection Manager |
|
Java Deserialization |
CVE-2015-6554 |
|
|
2015-11-03 |
Apache |
Active MQ |
|
Java Deserialization |
CVE-2015-7253 |
|
|
2015-10-02 |
Lithium Technologies |
Community |
|
|
||
|
2015-09-04 |
CommVault Systems |
Edge Server |
10 R2 |
Java Deserialization, Command Injection |
VU#866432 CVE-2015-7253 |
|
|
2015-08-24 |
Apache |
Flex BlazeDS |
|
CVE-2015-3269 |
||
|
2015-08-21 |
Atlassian |
Bamboo |
|
Java Deserialization |
CVE-2015-6576 |
|
|
2015-07-31 |
Symantec |
Endpoint Protection |
12 , 1 |
Authentication Bypass, Arbitrary File Write/Read, Privilege Escalation, Path Traversal, SQL Injection, Binary Planting |
CVE-2015-1486 CVE-2015-1487 CVE-2015-1488 CVE-2015-1489 CVE-2015-1490 CVE-2015-1491 CVE-2015-1492 |
|
|
2015-07-22 |
webEdition |
|
SQL Injection |
VU#242092 |
||
|
2015-07-21 |
WebsiteBaker |
WebsiteBaker |
|
SQL Injection |
VU#164652 |
|
|
2015-06-15 |
Oracle |
WebLogic Server |
|
Java Deserialization |
CVE-2015-4582 |
|
|
2015-05-20 |
Webmin |
Usermin |
0.980-1.650 |
Command Execution |
CVE-2015-2079 https://code-white.com/blog/20... |
|
|
2015-01-21 |
iPass |
iPass Open Mobile |
|
Privilege Escalation via named pipe |
CVE-2015-0925 https://code-white.com/blog/20... |
|
|
|
Atlassian |
Jira |
|
CVE-2015-8798 |
||
|
|
Symantec |
Management Server Client |
|
Binary Planting |
CVE-2015-8113 |
|
|
|
Apache |
ActiveMQ Artemis JMS Client |
|
Java Deserialization |
CVE-2016-4978 |
|
|
|
Apache |
Qpid Client/JMS Client |
|
Java Deserialization |
CVE-2016-4974 |
|
|
|
Pivotal |
Spring AMQP |
|
Java Deserialization |
CVE-2016-2173 |
|
|
|
Oracle |
Weblogic Server |
|
Java Deserialization |
CVE-2015-4852 |
|
|
|
Oracle |
WebLogic Server |
|
Java Deserialization |
CVE-2016-3551 |
|
|
|
Symantec |
Management Server |
|
Named Pipe Process Call Arbitrary |
CVE-2015-8800 |
|
|
|
Microsoft |
Skype for Business |
|
.NET Deserialization |
CVE-2020-1147 |
|
|
|
Symantec |
Management Server |
|
Path Traversal |
CVE-2017-5641 |
|
|
|
Symantec |
Management Server |
|
Path Traversal/Binary Planting on Deployed Agent |
CVE-2015-8799 |
|
|
|
Bomgar |
Remote Support Portal |
|
PHP Deserialization |
CVE-2015-0935 |
|
|
|
Symantec |
Management Server |
|
SQL Injection |
CVE-2015-8157 |
|
Public Vulnerability List
