Multiple CSRF issues in Horde Groupware Webmail Edition 5.1.2 and earlier in basic.php.

Nokogiri gem 1.5.x and 1.6.x has DoS while parsing XML entities by failing to apply limits

Nokogiri gem 1.5.x has Denial of Service via infinite loop when parsing XML documents

gdm3 3.14.2 and possibly later has an information leak before screen lock

Horde Groupware Web mail 5.1.2 has CSRF with requests to change permissions

Horde Groupware Webmail Edition has CSRF and XSS when saving search as a virtual address book

Integer overflow in the extract_group_icon_cursor_resource function in b/wrestool/extract.c in icoutils before 0.31.1 allows local users to cause a denial of service (process crash) or execute arbitrary code via a crafted executable file.

The extract_group_icon_cursor_resource in wrestool/extract.c in icoutils before 0.31.1 can access unallocated memory, which allows local users to cause a denial of service (process crash) and execute arbitrary code via a crafted executable.

The scipy.weave component in SciPy before 0.12.1 creates insecure temporary directories.

There is a possible tty hijacking in shadow 4.x before 4.1.5 and sudo 1.x before 1.7.4 via "su - user -c program". The user session can be escaped to the parent session by using the TIOCSTI ioctl to push characters into the input buffer to be read by the next process.

Cross-site scripting (XSS) vulnerability in SmokePing 2.6.9 in the start and end time fields.

HTTPSConnections in OpenStack Keystone 2013, OpenStack Compute 2013.1, and possibly other OpenStack components, fail to validate server-side SSL certificates.

Mutt before 1.5.20 patch 7 allows an attacker to cause a denial of service via a series of requests to mutt temporary files.

evince is missing a check on number of pages which can lead to a segmentation fault

MiniDLNA has heap-based buffer overflow

MiniUPnPd has information disclosure use of snprintf()

Chicken before 4.8.0 does not properly handle NUL bytes in certain strings, which allows an attacker to conduct "poisoned NUL byte attack."

OS command injection vulnerability in the "qs" procedure from the "utils" module in Chicken before 4.9.0.

autojump before 21.5.8 allows local users to gain privileges via a Trojan horse custom_install directory in the current working directory.

A cross-site scripting (XSS) vulnerability in MediaWiki before 1.19.5 and 1.20.x before 1.20.4 and allows remote attackers to inject arbitrary web script or HTML via Lua function names.