Apache Commons BeanUtils, version 1.9.2, used in Alfresco 5.0 and 5.1, is one of the libraries that is reported to have deserialization vulnerability. It uses vulnerable Apache Commons Collections, version 3.2.1, see e.g. commons-beanutils dependencies.
commons-beanutils have upgraded commons-collections from 3.2.1 to 3.2.2 where the vulnerability is fixed in its current development version 1.9.3 that is not yet released, see BEANUTILS-482 and https://svn.apache.org/viewvc/commons/proper/beanutils/trunk/, r1714371 on Nov 14 21:00:27 2015 UTC.
We need to upgrade commons-beanutils when 1.9.3 version will be released.