Samsung wssyncmlnps before 2015-10-31 allows directory traversal in a Kies restore, aka ZipFury.

Samsung SM-G920F build G920FXXU2COH2 (Galaxy S6), SM-N9005 build N9005XXUGBOK6 (Galaxy Note 3), GT-I9192 build I9192XXUBNB1 (Galaxy S4 mini), GT-I9195 build I9195XXUCOL1 (Galaxy S4 mini LTE), and GT-I9505 build I9505XXUHOJ2 (Galaxy S4) devices allow attackers to send AT commands by plugging the device into a Linux host, aka SVE-2016-5301.

Buffer overflow in ImageIO in Apple Mac OS X 10.6 through 10.6.3 and Mac OS X Server 10.6 through 10.6.3 allows remote attackers to execute arbitrary code or cause a denial of service (crash) via a crafted image.

Pulp before 2.8.3 creates a temporary directory during CA key generation in an insecure manner.

Firejail uses weak permissions for /dev/shm/firejail and possibly other files, which allows local users to gain privileges.

modules/chef.py in SaltStack before 2014.7.4 does not properly handle files in /tmp.

SeaWell Networks Spectrum SDC 02.05.00 has a default password of “admin” for the “admin” account.

Firejail allows –chroot when seccomp is not supported, which might allow local users to gain privileges.

Multiple cross-site scripting (XSS) vulnerabilities in Oliver (formerly Webshare) 1.3.1 and earlier allow remote attackers to inject arbitrary web script or HTML via the PATH_INFO to the (1) login page (index.php) or (2) login form (loginform-inc.php).

SeaWell Networks Spectrum SDC 02.05.00 allows remote viewer users to perform administrative functions.