Directory traversal vulnerability in phpMyFAQ 1.3.12 allows remote attackers to read arbitrary files, and possibly execute local PHP files, via the action variable, which is used as part of a template filename.

Directory traversal vulnerability in phpMyFAQ 1.4.0 alpha allows remote attackers to read arbitrary files, and possibly execute local PHP files, via .. sequences in the lang (language) variable.

phpMyFAQ 1.4.0 allows remote attackers to access the Image Manager to upload or delete images without authorization via a direct request.

Xconfig in Hummingbird Exceed before 9.0.0.1, when the Screen Definition is password-protected, allows local users to access certain options by switching to another tab, then switching back to the original tab.

vsftpd before 1.2.2, when under heavy load, allows attackers to cause a denial of service (crash) via a SIGCHLD signal during a malloc or free call, which is not re-entrant.

Opera Browser 7.23, and other versions before 7.50, updates the address bar as soon as the user clicks a link, which allows remote attackers to redirect to other sites via the onUnload attribute.

Cross-site scripting (XSS) vulnerability in e107 allows remote attackers to inject arbitrary script or HTML via the "login name/author" field in the (1) news submit or (2) article submit functions.

ImageManager in e107 before 0.617 does not properly check the types of uploaded files, which allows remote attackers to execute arbitrary code by uploading a PHP file via the upload parameter to images.php.

SQL injection vulnerability in the valid function in fr_left.php in PlaySMS 0.7 and earlier allows remote attackers to modify SQL statements via the vc2 cookie.

Format string bug in the open_altfile function in filename.c for GNU less 382, 381, and 358 might allow local users to cause a denial of service or possibly execute arbitrary code via format strings in the LESSOPEN environment variable. NOTE: since less is not setuid or setgid, then this is not a vulnerability unless there are plausible scenarios under which privilege boundaries could be crossed

UUDeview 0.5.20 and earlier handles temporary files insecurely during decoding, with unknown attack vectors and impact.

SQL injection vulnerability in Ansel 2.1 and earlier allows remote attackers to modify SQL statements via the image parameter.

Cross-site scripting (XSS) vulnerability in Ansel 2.1 and earlier allows remote attackers to inject arbitrary HTML or web script via the album name.

PimenGest2 before 1.1.1 allows remote attackers to obtain the database password via debug information in rowLatex.inc.php.

Stack-based buffer overflow in pads.c in Passive Asset Detection System (Pads) might allow local users to execute arbitrary code via a long report file name argument. NOTE: since Pads is not normally installed setuid, this may not be a vulnerability.

Unknown vulnerability in IBM Parallel Environment (PE) 3.2 and 4.1 allows attackers to execute arbitrary commands as root via unknown vectors in the sample code.

Buffer overflow in MiniShare 1.4.1 and earlier allows remote attackers to execute arbitrary code via a long HTTP GET request.

Buffer overflow in the sockFinger_DataArrival function in efFingerD 0.2.12 allows remote attackers to cause a denial of service (daemon crash) via a long finger command.

efFingerD 0.2.12 allows remote attackers to cause a denial of service (daemon crash) via a packet with a single byte, which triggers a "Wrong protocol or connection state" error.

Unknown vulnerability in Jigsaw before 2.2.4 has unknown impact and attack vectors, possibly related to the parsing of the URI.