The dump_section_as_bytes function in readelf in GNU Binutils 2.28 accesses a NULL pointer while read ing section contents in a corrupt binary, leading to a program crash.
The dalvik_disassemble function in libr/asm/p/asm_dalvik.c in radare2 1.2.1allows remote attackers to cause a denial of service or possibly have unspecified other impact via a crafted DEX file.
elflink.c in the Binary File Descriptor library , as distributed in GNU Binutils 2.28, has a "member access within null pointer"undefined behavior issue, which might allow remote attackers to cause a denial of service or possibly have unspecified other impact via an "int main {return 0;}" program.
In Drupal core 8.x prior to 8.3.4 and Drupal core 7.x prior to 7.56;Private files that have been uploaded by an anonymous user but not permanently attached to content on the site should only be visible to the anonymous user that uploaded them, rather than all anonymous users. Drupalcore did not previously provide this protection, allowing an access bypass vulnerability to occur. This issue is miti ...
In WordPress before 4.7.3, there is authenticated Cross-Site Scripting via Media File Metadata. This is demonstrated by both mishandling of the playlist shortcode in the wp_playlist_shortcode function inwp-includes/media.php and mishandling of meta information in the render Tracks function in wp-includes/js/libjs-mediaelement/wp-playlist.js.
In lrzip 0.631, a stack buffer overflow was found in the function get_file info in lrzip.c:1074, which allows attackers to cause a denial of service via a crafted file.