The ViewSystemInfo class doGarbageCollection method in Jira before version 7.13.6, from version 8.0.0 before version 8.2.3, and from version 8.3.0 before version 8.3.2 allows remote attackers to trigger garbage collection via a Cross-site request forgery (CSRF) vulnerability.

Various exposed resources of the ViewLogging class in Jira before version 7.13.6, from version 8.0.0 before version 8.2.3, and from version 8.3.0 before version 8.3.2 allow remote attackers to modify various settings via Cross-site request forgery (CSRF).

The AddResolution.jspa resource in Jira before version 7.13.6, from version 8.0.0 before version 8.2.3, and from version 8.3.0 before version 8.3.2 allows remote attackers to create new resolutions via a Cross-site request forgery (CSRF) vulnerability.

The startup.jsp resource in Jira before version 7.13.6, from version 8.0.0 before version 8.2.3, and from version 8.3.0 before version 8.3.2 allows remote attackers to redirect users to a different website which they may use as part of performing a phishing attack via an open redirect.

The MigratePriorityScheme resource in Jira before version 8.3.2 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the priority icon url of an issue priority.

The Privacy > Phone Number feature in the Telegram app 5.10 for Android and iOS provides an incorrect indication that the access level is Nobody, because attackers can find these numbers via the Group Info feature, e.g., by adding a significant fraction of a region's assigned phone numbers.

openITCOCKPIT before 3.7.1 allows SSRF, aka RVID 5-445b21.

openITCOCKPIT before 3.7.1 allows deletion of files, aka RVID 4-445b21.

openITCOCKPIT before 3.7.1 has reflected XSS, aka RVID 3-445b21.

openITCOCKPIT before 3.7.1 has CSRF, aka RVID 2-445b21.

openITCOCKPIT before 3.7.1 allows code injection, aka RVID 1-445b21.

Ignite Realtime Openfire before 4.4.1 has reflected XSS via an LDAP setup test.

DfE School Experience before v16333-GA has XSS via a teacher training URL.

django-js-reverse (aka Django JS Reverse) before 0.9.1 has XSS via js_reverse_inline.

Bolt before 3.6.10 has XSS via createFolder or createFile in Controller/Async/FilesystemManager.php.

Bolt before 3.6.10 has XSS via an image's alt or title field.

Bolt before 3.6.10 has XSS via a title that is mishandled in the system log.

selectize-plugin-a11y before 1.1.0 has XSS via the msg field.

Kimai v2 before 1.1 has XSS via a timesheet description.

Domoticz 4.10717 has XSS via item.Name.