TYPO3 7.6.15 sends an http request to an index.php?loginProvider URI in cases with an https Referer, which allows remote attackers to obtain sensitive cleartext information by sniffing the network and reading the userident and username fields.

Buffer overflow in Cerberus FTP Server 8.0.10.3 allows remote attackers to cause a denial of service (daemon crash) or possibly have unspecified other impact via a long MLST command.

Pluck CMS 4.7.2 allows remote attackers to execute arbitrary code via the blog form feature.

Cross-site scripting (XSS) vulnerability in Wonder CMS 2014 allows remote attackers to inject arbitrary web script or HTML.

Pluck CMS 4.7.2 allows remote attackers to obtain sensitive information by (1) changing “PHPSESSIS” to an array; (2) adding non-aplhanumeric chars to “PHPSESSID”; (3) changing the image parameter to array; or (4) changing the image parameter to a string, which reveals the installation path in an error message.

Wonder CMS 2014 allows remote attackers to obtain sensitive information by logging into the application with an array for the password, which reveals the installation path in an error message.

coders/tiff.c in ImageMagick allows remote attackers to cause a denial of service (application crash) via vectors related to the “identification of image.”

Wonder CMS 2014 allows remote attackers to obtain sensitive information by viewing /files/password, which reveals the unsalted MD5 hashed password.

qdPM 8.3 allows remote attackers to obtain sensitive information via invalid ID value to index.php/users/info/id/[ID], which reveals the installation path in an error message.

Information disclosure issue in qdPM 8.3 allows remote attackers to obtain sensitive information via a direct request to (1) core/config/databases.yml, (2) core/log/qdPM_prod.log, or (3) core/apps/qdPM/config/settings.yml.