TestLink 1.9.19 has XSS via the error.php message parameter.

On the Polycom Obihai Obi1022 VoIP phone with firmware 5.1.11, a command injection (missing input validation) issue in the NTP server IP address field for the "Time Service Settings web" interface allows an authenticated remote attacker in the same network to trigger OS commands via shell commands in a POST request.

The Adenion Blog2Social plugin through 5.5.0 for WordPress allows SQL Injection.

cPanel before 70.0.23 allows stored XSS via a WHM Synchronize DNS Records action (SEC-377).

cPanel before 70.0.23 allows stored XSS via a WHM DNS Cleanup action (SEC-376).

cPanel before 70.0.23 allows stored XSS via a WHM "Delete a DNS Zone" action (SEC-375).

cPanel before 70.0.23 allows stored XSS via a WHM Edit DNS Zone action (SEC-374).

cPanel before 70.0.23 allows stored XSS via a WHM Create Account action (SEC-373).

cPanel before 70.0.23 allows stored XSS in WHM DNS Cluster (SEC-372).

cPanel before 70.0.23 allows any user to disable Solr (SEC-371).

cPanel before 70.0.23 allows Stored XSS via a WHM Edit MX Entry (SEC-370).

cPanel before 70.0.23 allows stored XSS via a WHM Edit DNS Zone action (SEC-369).

In cPanel before 70.0.23, OpenID providers can inject arbitrary data into cPanel session files (SEC-368).

cPanel before 70.0.23 allows attackers to read the root accesshash via the WHM /cgi/trustclustermaster.cgi (SEC-364).

cPanel before 70.0.23 allows demo accounts to execute code via awstats (SEC-362).

cPanel before 70.0.23 allows code execution because "." is in @INC during a Perl syntax check of cpaddonsup (SEC-359).

cPanel before 70.0.23 allows self XSS in the WHM cPAddons showsecurity Interface (SEC-357).

cPanel before 70.0.23 allows arbitrary file-chmod operations during legacy incremental backups (SEC-338).

cPanel before 71.9980.37 allows arbitrary file-read operations during pkgacct custom template handling (SEC-435).

cPanel before 71.9980.37 does not enforce the Mime::list_hotlinks API feature restriction (SEC-432).