AndroidManifest.xml in Android before 5.0.0 does not require the SEND_SMS permission for the SmsReceiver receiver, which allows attackers to send stored SMS messages, and consequently transmit. Rated low severity (CVSS 3.3). Public exploit code available and no vendor patch available.
Zenoss Core through 5 Beta 3 stores cleartext passwords in the session database, which might allow local users to obtain sensitive information by reading database entries, aka ZEN-15416. Rated low severity (CVSS 2.1), this vulnerability is low attack complexity. No vendor patch available.