Red Hat Security Advisory 2016-0286-01 – Chromium is an open-source web browser, powered by WebKit. Two flaws were found in the processing of malformed web content. A web page containing malicious content could cause Chromium to crash, execute arbitrary code, or disclose sensitive information when visited by the victim. All Chromium users should upgrade to these updated packages, which contain Chromium version 48.0.2564.116, which corrects these issues. After installing the update, Chromium must be restarted for the changes to take effect.

There is a type confusion vulnerability in the SimpleButton constructor. Flash stores an empty button to use to create buttons for optimization reasons. If this object is created using a SWF tag before it is created in the Button class, and it not of type Button, type confusion can occur.

libquicktime version 1.2.4 suffers from an integer overflow vulnerability.

OpenCms version 9.5.2 suffers from a cross site scripting vulnerability.

Ubiquiti Networks airCRM suffers from a cross site scripting vulnerability.

InstantCoder version 1.0 suffers from local file inclusion and directory traversal vulnerabilities.

ResourceLinkFactory.setGlobalContext() is a public method and was accessible by web applications running under a security manager without any checks. This allowed a malicious web application to inject a malicious global context that could in turn be used to disrupt other web applications and/or read and write data owned by other web applications. Apache Tomcat versions 7.0.0 through 7.0.67, 8.0.0.RC1 through 8.0.30, and 9.0.0.M1 through 9.0.0.M2 are affected.