agent/Core/Controller/SendRequest.cpp in Phusion Passenger before 4.0.60 and 5.0.x before 5.0.22, when used in Apache integration mode or in standalone mode without a filtering proxy, allows remote attackers to spoof headers passed to applications by using an _ (underscore) character instead of a – (dash) character in an HTTP header, as demonstrated by an X_User header.

The _TIFFVGetField function in tif_dir.c in libtiff 4.0.6 allows attackers to cause a denial of service (invalid memory write and crash) or possibly have unspecified other impact via crafted field data in an extension tag in a TIFF image.

Juniper ScreenOS before 6.3.0r21, when ssh-pka is configured and enabled, allows remote attackers to cause a denial of service (system crash) or execute arbitrary code via crafted SSH negotiation.

Gummi 0.6.5 allows local users to write to arbitrary files via a symlink attack on a temporary dot file that uses the name of an existing file and a (1) .aux, (2) .log, (3) .out, (4) .pdf, or (5) .toc extension for the file name, as demonstrated by .thesis.tex.aux.

The Joint Photographic Experts Group Processing Unit (JPU) driver in Huawei ALE smartphones with software before ALE-UL00C00B220 and ALE-TL00C01B220 and GEM-703L smartphones with software before V100R001C233B111 allows remote attackers to cause a denial of service (crash) via a crafted application with the system or camera permission, a different vulnerability than CVE-2015-8226.

The Joint Photographic Experts Group Processing Unit (JPU) driver in Huawei ALE smartphones with software before ALE-UL00C00B220 and ALE-TL00C01B220 and GEM-703L smartphones with software before V100R001C233B111 allows remote attackers to cause a denial of service (crash) via a crafted application with the system or camera permission, a different vulnerability than CVE-2015-8225.

Huawei Document Security Management (DSM) with software before V100R002C05SPC661 does not clear the clipboard when closing a secure file, which allows local users to obtain sensitive information by pasting the contents to another file.

Atlassian JIRA Software 7.0.3, JIRA Core 7.0.3, and the bundled JIRA Service Desk 3.0.3 installer attaches the wrong image to e-mail notifications when a user views an issue with inline wiki markup referencing an image attachment, which might allow remote attackers to obtain sensitive information by updating a different issue that includes wiki markup for an external image reference.

The CoreUserInputHandler::doMode function in core/coreuserinputhandler.cpp in Quassel 0.10.0 allows remote attackers to cause a denial of service (application crash) via the “/op *” command in a query.

Open redirect vulnerability in Blue Coat ProxySG 6.5 before 6.5.8.8 and 6.6 and Advanced Secure Gateway (ASG) 6.6 might allow remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a base64-encoded URL in conjunction with a “clear text” one in a coaching page, as demonstrated by “http://www.%humbug-URL%.local/bluecoat-splash-API?%BASE64-URL%.”