routes/api/v1/api.go in Gogs 0.11.86 lacks permission checks for routes: deploy keys, collaborators, and hooks.

The web interface of Alcatel LINKZONE MW40-V-V1.0 MW40_LU_02.00_02 devices is vulnerable to an authentication bypass that allows an unauthenticated user to have access to the web interface without knowing the administrator's password.

The web interface of the D-Link DVA-5592 20180823 is vulnerable to an authentication bypass that allows an unauthenticated user to have access to sensitive information such as the Wi-Fi password and the phone number (if VoIP is in use).

The web interface of the D-Link DVA-5592 20180823 is vulnerable to XSS because HTML form parameters are directly reflected.

GnuCOBOL 2.2 has a stack-based buffer overflow in cb_encode_program_id in cobc/typeck.c via crafted COBOL source code.

A carefully crafted package/compressed file that, when unzipped/uncompressed yields the same file (a quine), causes a StackOverflowError in Apache Tika's RecursiveParserWrapper in versions 1.7-1.21. Apache Tika users should upgrade to 1.22 or later.

In Apache Tika 1.19 to 1.21, a carefully crafted 2003ml or 2006ml file could consume all available SAXParsers in the pool and lead to very long hangs. Apache Tika users should upgrade to 1.22 or later.

A carefully crafted or corrupt zip file can cause an OOM in Apache Tika's RecursiveParserWrapper in versions 1.7-1.21. Users should upgrade to 1.22 or later.

In Advantech WebAccess HMI Designer Version 2.1.9.23 and prior, processing specially crafted MCR files lacking proper validation of user supplied data may cause the system to write outside the intended buffer area, allowing remote code execution.

cPanel before 62.0.17 allows code execution in the context of the root account via a long DocumentRoot path (SEC-225).

cPanel before 62.0.17 allows does not preserve security policy questions across an account rename (SEC-223).

cPanel before 62.0.17 allows arbitrary code execution during automatic SSL installation (SEC-221).

cPanel before 62.0.17 allows arbitrary code execution during account modification (SEC-220).

cPanel before 62.0.17 allows file overwrite when renaming an account (SEC-219).

cPanel before 62.0.17 allows arbitrary file-read operations via WHM /styled/ URLs (SEC-218).

cPanel before 62.0.17 allows self XSS in the WHM cPAddons showsecurity interface (SEC-217).

In cPanel before 62.0.17, addon domain conversion did not require a package for resellers (SEC-208).

cPanel before 62.0.24 allows stored XSS in the WHM cPAddons install interface (SEC-262).

cPanel before 64.0.21 does not preserve supplemental groups across account renames (SEC-260).

cPanel before 64.0.21 allows code execution via Rails configuration files (SEC-259).