The Knock Knock plugin before 1.2.8 for Craft CMS allows malicious redirection.

The Knock Knock plugin before 1.2.8 for Craft CMS allows IP Whitelist bypass via an X-Forwarded-For HTTP header.

EM-HTTP-Request 1.1.5 uses the library eventmachine in an insecure way that allows an attacker to perform a man-in-the-middle attack against users of the library. The hostname in a TLS server certificate is not verified.

An issue was discovered in the Image Resizer plugin before 2.0.9 for Craft CMS. There is stored XSS in the Bulk Resize action.

An issue was discovered in the Image Resizer plugin before 2.0.9 for Craft CMS. There are CSRF issues with the log-clear controller action.

A Remote code execution vulnerability exists in DEXT5Upload in DEXT5 through 2.7.1402870. An attacker can upload a PHP file via dext5handler.jsp handler because the uploaded file is stored under dext5uploadeddata/.

Cybozu Desktop for Windows 2.0.23 to 2.2.40 allows remote code execution via unspecified vectors.

ffjpeg through 2020-02-24 has an invalid write in bmp_load in bmp.c.

ffjpeg through 2020-02-24 has a heap-based buffer over-read in jfif_decode in jfif.c.

ffjpeg through 2020-02-24 has an invalid read in jfif_encode in jfif.c.

SQLite through 3.32.0 has a segmentation fault in sqlite3ExprCodeTarget in expr.c.

SQLite through 3.32.0 has an integer overflow in sqlite3_str_vappendf in printf.c.

Jason2605 AdminPanel 4.0 allows SQL Injection via the editPlayer.php hidden parameter.

Grafana before 7.0.0 allows tag value XSS via the OpenTSDB datasource.

legend.ts in the piechart-panel (aka Pie Chart Panel) plugin before 1.5.0 for Grafana allows XSS via the Values Header (aka legend header) option.

TrackR devices through 2020-05-06 allow attackers to trigger the Beep (aka alarm) feature, which will eventually cause a denial of service when battery capacity is exhausted.

The XCloner component before 3.5.4 for Joomla! allows Authenticated Local File Disclosure.

An Elevation of Privilege issue was discovered in Aviatrix VPN Client before 2.10.7, because of an incomplete fix for CVE-2020-7224. This affects Linux, macOS, and Windows installations for certain OpenSSL parameters.

An issue was discovered in Aviatrix Controller before 5.4.1066. A Controller Web Interface session token parameter is not required on an API call, which opens the application up to a Cross Site Request Forgery (CSRF) vulnerability for password resets.

An issue was discovered in Aviatrix Controller through 5.1. An attacker with any signed SAML assertion from the Identity Provider can establish a connection (even if that SAML assertion has expired or is from a user who is not authorized to access Aviatrix), aka XML Signature Wrapping.