QSearchQSearch

CVE-2021-40843

7.3 HIGH

Proofpoint Insider Threat Management Server contains an unsafe deserialization vulnerability in the Web Console

Published: 2021-10-13 · Last updated: 2026-06-17

Severity and scoring

CVSS
7.3 HIGH
Vector
CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
CWE
CWE-502

Affected products

VendorProduct
proofpointinsider_threat_management_server

Description

Proofpoint Insider Threat Management Server contains an unsafe deserialization vulnerability in the Web Console. An attacker with write access to the local database could cause arbitrary code to execute with SYSTEM privileges on the underlying server when a Web Console user triggers retrieval of that data. When chained with a SQL injection vulnerability, the vulnerability could be exploited remotely if Web Console users click a series of maliciously crafted URLs. All versions prior to 7.11.2 are affected.

Source: NVD

References

Related CVEs

Same vendor

  • CVE-2021-40842 Proofpoint Insider Threat Management Server contains a SQL injection vulnerability in the Web Console (9.8 CRITICAL)
  • CVE-2021-39304 Proofpoint Enterprise Protection before 8.12.0-2108090000 allows security control bypass (7.5 HIGH)

Same CWE

  • CVE-2026-48775 LangGraph SQLite Checkpoint is an implementation of LangGraph CheckpointSaver that uses SQLite DB (both sync and async, via aiosqlite) (6.8 MEDIUM)
  • CVE-2026-10748 An authenticated user with the nx-licensing-create privilege can upload a specially crafted license file to execute arbitrary operating s...
  • CVE-2026-24228 NVIDIA NeMo Framework for Linux contains a vulnerability where an attacker may cause deserialization of untrusted data (7.8 HIGH)
  • CVE-2026-48853 Deserialization of Untrusted Data and Allocation of Resources Without Limits or Throttling vulnerabilities in elixir-grpc grpc allow unau...
  • CVE-2026-9691 Unauthenticated PHP Object Injection in Integration for ActiveCampaign and Contact Form 7, WPForms, Elementor, Ninja Forms <= 1.1.1 versions (9.8 CRITICAL)