Wing FTP Server before 4.1.1 allows remote authenticated users to cause a denial of service (daemon crash) via two zip commands.

Citrix Cloud.com CloudStack, and Apache CloudStack pre-release, allows remote attackers to make arbitrary API calls by leveraging the system user account, as demonstrated by API calls to delete VMs.

Cross-site scripting (XSS) vulnerability in tokyo_bbs.cgi in Come on Girls Interface (CGI) Tokyo BBS allows remote attackers to inject arbitrary web script or HTML via vectors related to the error page.

SQL injection vulnerability in mnoGoSearch before 3.3.12 allows remote attackers to execute arbitrary SQL commands via the hostname in a hypertext link.

SQL injection vulnerability in user.php in Social Network Community 2 allows remote attackers to execute arbitrary SQL commands via the userId parameter.

Heap-based buffer overflow in IrfanView before 4.32 allows remote attackers to execute arbitrary code via crafted "Rows Per Strip" and "Samples Per Pixel" values in a TIFF image file.

Multiple SQL injection vulnerabilities in the selectUserIdByLoginPass function in seotoaster_core/application/models/LoginModel.php in Seotoaster 1.9 and earlier allow remote attackers to execute arbitrary SQL commands via the (1) login parameter to sys/login/index or (2) memberLoginName parameter to sys/login/member.

SQL injection vulnerability in quickstart/profile/index.php in the Forum module in appRain CMF 0.1.5 allows remote attackers to execute arbitrary SQL commands via the PATH_INFO.

Cross-site scripting (XSS) vulnerability in the Search module (quickstart/search) in appRain CMF 0.1.5 allows remote attackers to inject arbitrary web script or HTML via the ss parameter.

Stack-based buffer overflow in the Syslog service (nssyslogd.exe) in Enterasys Network Management Suite (NMS) before 4.1.0.80 allows remote attackers to execute arbitrary code via a long PRIO field in a message to UDP port 514.

Cross-site request forgery (CSRF) vulnerability in wordpress_sentinel.php in the Sentinel plugin 1.0.0 for WordPress allows remote attackers to hijack the authentication of an administrator for requests that trigger snapshots.

Cross-site scripting (XSS) vulnerability in wordpress_sentinel.php in the Sentinel plugin 1.0.0 for WordPress allows remote attackers to inject arbitrary web script or HTML via unknown vectors.

SQL injection vulnerability in the Sentinel plugin 1.0.0 for WordPress allows remote attackers to execute arbitrary SQL commands via unspecified vectors.

Cross-site request forgery (CSRF) vulnerability in logout.php in Cacti before 0.8.7i allows remote attackers to hijack the authentication of unspecified victims via unknown vectors.

SQL injection vulnerability in rub2_w.php in PHP Flirt-Projekt 4.8 and possibly earlier allows remote attackers to execute arbitrary SQL commands via the rub parameter.

Cross-site scripting (XSS) vulnerability in the getLog function in svnlook.php in WebSVN before 2.3.1 allows remote attackers to inject arbitrary web script or HTML via the path parameter to (1) comp.php, (2) diff.php, or (3) revision.php.

Cross-site scripting (XSS) vulnerability in templates/default/Admin/Login.html in PHP-SCMS 1.6.8 and earlier allows remote attackers to inject arbitrary web script or HTML via the lang parameter to index.php.

Directory traversal vulnerability in examples/show_code.php in mPDF 5.3 and earlier allows remote attackers to read arbitrary files via a .. (dot dot) in the filename parameter.

SQL injection vulnerability in DotA OpenStats 1.3.9 and earlier allows remote attackers to execute arbitrary SQL commands via the id parameter to index.php.

Directory traversal vulnerability in the PXE Mtftp service in Hitachi JP1/ServerConductor/DeploymentManager before 08-55 Japanese and before 08-51 English allows remote attackers to read arbitrary files via unknown vectors.

SQL injection vulnerability in ajax.php in SCORM Cloud For WordPress plugin before 1.0.7 for WordPress allows remote attackers to execute arbitrary SQL commands via the active parameter. NOTE: some of these details are obtained from third party information.

SQL injection vulnerability in index.php in Video Community Portal allows remote attackers to execute arbitrary SQL commands via the id parameter.

Multiple cross-site scripting (XSS) vulnerabilities in BrowserCRM 5.100.01 and earlier allow remote attackers to inject arbitrary web script or HTML via the PATH_INFO to (1) index.php, (2) modules/admin/admin_module_index.php, or (3) modules/calendar/customise_calendar_times.php; login[] parameter to (4) index.php or (5) pub/clients.php; or framed parameter to (6) licence/index.php or (7) licence/view.php.

Multiple SQL injection vulnerabilities in BrowserCRM 5.100.01 and earlier allow remote attackers to execute arbitrary SQL commands via the (1) login[username] parameter to index.php, (2) parent_id parameter to modules/Documents/version_list.php, or (3) contact_id parameter to modules/Documents/index.php.

Heap-based buffer overflow in the Cisco WebEx Recording Format (WRF) player T27 before LD SP32 EP10 and T28 before T28.4 allows remote attackers to execute arbitrary code via a crafted WRF file, aka Bug ID CSCtz72850.