PHP remote file inclusion vulnerability in editInplace.php in Wonder CMS 2014 allows remote attackers to execute arbitrary PHP code via a URL in the hook parameter.

LibTIFF allows remote attackers to cause a denial of service (memory consumption and crash) via a crafted tiff file.

distribute-cache.c in ImageMagick re-uses objects after they have been destroyed, which allows remote attackers to have unspecified impact via unspecified vectors.

Integer overflow in the read_fragment_table_4 function in unsquash-4.c in Squashfs and sasquatch allows remote attackers to cause a denial of service (application crash) via a crafted input, which triggers a stack-based buffer overflow.

Multiple cross-site scripting (XSS) vulnerabilities in qdPM 8.3 allow remote attackers to inject arbitrary web script or HTML via the (1) search[keywords] parameter to index.php/users page; the (2) “Name of application” on index.php/configuration; (3) a new project name on index.php/projects; (4) the task name on index.php/tasks; (5) ticket name on index.php/tickets; (6) discussion name on index.php/discussions; (7) report name on index.php/projectReports; or (8) event name on index.php/scheduler/personal.

GetSimple CMS 3.3.4 allows remote attackers to obtain sensitive information via a direct request to (1) data/users/<username>.xml, (2) backups/users/<username>.xml.bak, (3) data/other/authorization.xml, or (4) data/other/appid.xml.

qdPM 8.3 allows remote attackers to obtain sensitive information via invalid ID value to index.php/users/info/id/[ID], which reveals the installation path in an error message.

coders/tiff.c in ImageMagick allows remote attackers to cause a denial of service (application crash) via vectors related to the “identification of image.”

Pluck CMS 4.7.2 allows remote attackers to obtain sensitive information by (1) changing “PHPSESSIS” to an array; (2) adding non-aplhanumeric chars to “PHPSESSID”; (3) changing the image parameter to array; or (4) changing the image parameter to a string, which reveals the installation path in an error message.

Pluck CMS 4.7.2 allows remote attackers to execute arbitrary code via the blog form feature.