Unrestricted file upload in Bolo Solo up to version 2.6.4 allows authenticated remote attackers to upload arbitrary files via the FreeMarker Template Handler component. Public exploit code exists for this vulnerability, and the vendor has not yet released a patch despite early notification. An attacker with valid credentials can achieve limited confidentiality, integrity, and availability impacts.
ZenTao versions up to 21.7.6-85642 contain a server-side request forgery vulnerability in the Webhook Module's fetchHook function that allows remote attackers to initiate requests from the affected server. Public exploit code exists for this vulnerability, and no patch is currently available from the vendor despite early disclosure notification.
It was possible to improperly access the parent directory of an os.Root by opening a filename ending in "../". For example, Root.Open("../") would open the parent directory of the Root. [CVSS 3.8 LOW]
Jazz Reporting Service versions up to 7.0.3 contains a vulnerability that allows attackers to an authenticated user on the network to affect the system's performance using co (CVSS 3.5).
Jazz Reporting Service versions up to 7.0.3 contains a vulnerability that allows attackers to an authenticated user on the host network to obtain sensitive information about (CVSS 3.5).
Jazz Reporting Service versions up to 7.0.3 is affected by allocation of resources without limits or throttling (CVSS 3.5).
A vulnerability exists in BIG-IP Edge Client and browser VPN clients on Windows that may allow attackers to gain access to sensitive information. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated [CVSS 3.3 LOW]
Big-Ip Access Policy Manager is affected by user interface (ui) misrepresentation of critical information (CVSS 3.1).
Hillstone Networks Operation and Maintenance Security Gateway on Linux is affected by unrestricted upload of file with dangerous type (CVSS 2.7).
Wagtail is an open source content management system built on Django. [CVSS 2.7 LOW]
lcg0124 BootDo is susceptible to cross-site request forgery (CSRF) attacks due to insufficient request validation, allowing remote attackers to perform unauthorized actions on behalf of authenticated users. Public exploit code exists for this vulnerability, though no patch is currently available. The rolling release model used by this product complicates version tracking for affected and patched instances.