SPIP 3.1.x suffer from a Reflected Cross Site Scripting Vulnerability in/ecrire/exec/info_plugin.php involving the `$plugin` parameter, as demonstrated by a /ecrire/?exec=info_plugin URL.
perltidy through 20160302, as used by perl critic, check-all-the-things, and other software, relies on the current working directory for certain output files and does not have a symlink-attack protection mechanism, which allows local users to overwrite arbitrary files by creating a symlink, as demonstrated by creating a perltidy.ERR symlink that the victim cannot delete.
Integer overflow in X.org libxfixes-dev before 5.0.3 on 32-bit platforms might allow remote X servers to gain privileges via a length value of INT_MAX,which triggers the client to stop read ing data and get out of sync.
Incomplete blacklist in SOGo before 2.3.12 and 3.x before 3.1.1 allow sremote authenticated users to obtain sensitive information by read ing the fields in the ics or XML calendar feeds.
xbcrypt in Percona XtraBackup before 2.3.6 and 2.4.x before 2.4.5 does not properly set the initialization vector for encryption, which makes it easier for context-dependent attackers to obtain sensitive information from encrypted backup files via a Chosen-Plaintext attack. NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-6394.
Multiple XML external entity vulnerabilities in the Dom4JDriver, DomDriver, JDomDriver, JDom2Driver, SjsxpDriver, StandardStaxDriver, and WstxDriver drivers in XStream before 1.4.9allow remote attackers to read arbitrary files via a crafted XML document.