Codec::parse in track.cpp in Untrunc through 2018-06-07 has a NULL pointer dereference via a crafted MP4 file because of improper interaction with libav.
Foxit Reader before 9.2 and PhantomPDF before 9.2 have a Use-After-Free that leads to Remote Code Execution, aka V-88f4smlocs.
Secunia Research: LibRaw Multiple Denial of Service Vulnerabilities
Secunia Research: LibRaw "parse_minolta()" Infinite Loop Denial of Service Vulnerability
Adobe Systems - Arbitrary Code Injection Vulnerability
[slackware-security] httpd (SSA:2018-199-01)
camel/providers/imapx/camel-imapx-server.c in the IMAPx component in GNOME evolution-data-server before 3.21.2 proceeds with cleartext data containing a password if the client wishes to use STARTTLS but the server will not use STARTTLS, which makes it easier for remote attackers to obtain sensitive information by sniffing the network. The server code was intended to report an error and not proceed, but the code was written incorrectly.
Vuln: Cisco SD-WAN Configuration and Management Service CVE-2018-0343 Remote Code Execution Vulnerability
Cisco SD-WAN Configuration and Management Service CVE-2018-0343 Remote Code Execution Vulnerability
Oracle MySQL Client CVE-2018-3081 Remote Security Vulnerability
Oracle MySQL Server Multiple Security Vulnerabilities
Oracle MySQL Server CVE-2018-3071 Remote Security Vulnerability
Microsoft .NET Framework CVE-2018-8356 Security Bypass Vulnerability
Apache Ignite 2.5 and earlier serialization mechanism does not have a list of classes allowed for serialization/deserialization, which makes it possible to run arbitrary code when 3-rd party vulnerable classes are present in Ignite classpath. The vulnerability can be exploited if the one sends a specially prepared form of a serialized object to GridClientJdkMarshaller deserialization endpoint.
An issue was discovered in idreamsoft iCMS before 7.0.10. XSS exists via the fourth and fifth input elements on the admincp.php?app=prop&do=add screen.
In Msvod Cms v10, SQL Injection exists via an images/lists?cid= URI.
MetInfo 6.0.0 allows XSS via a modified name of the navigation bar on the home page.
MetInfo 6.0.0 allows a CSRF attack to add a user account via a doaddsave action to admin/index.php, as demonstrated by an admin/index.php?anyid=47&n=admin&c=admin_admin&a=doaddsave URI.
SeaCMS v6.61 allows Remote Code execution by placing PHP code in a movie picture address (aka v_pic) to /admin/admin_video.php (aka /backend/admin_video.php). The code is executed by visiting /details/index.php. This can also be exploited through CSRF.
** DISPUTED ** The debug handler in Symfony before v2.7.33, 2.8.x before v2.8.26, 3.x before v3.2.13, and 3.3.x before v3.3.6 has XSS via an array key during exception pretty printing in ExceptionHandler.php, as demonstrated by a /_debugbar/open?op=get URI. NOTE: the vendor's position is that this is not a vulnerability because the debug tools are not intended for production use. NOTE: the Symfony Debug component is used by Laravel Debugbar.