Telegram rlottie 7.0.1_2065 is affected by a Stack Based Overflow in the blit function: a remote attacker might be able to access Telegram's stack memory out-of-bounds on a victim device.
Telegram rlottie 7.0.1_2065 is affected by a Stack Based Overflow in the gray_split_cubic function: a remote attacker might be able to overwrite Telegram's stack memory out-of-bounds on a victim device.
Telegram rlottie 7.0.1_2065 is affected by an Integer Overflow in the LOTGradient::populate function: a remote attacker might be able to access Telegram's heap memory out-of-bounds on a victim device.
Telegram rlottie 7.0.1_2065 is affected by an Integer Overflow in the LottieParserImpl::parseDashProperty function: a remote attacker might be able to access Telegram's heap memory out-of-bounds on a victim device.
Telegram rlottie 7.0.1_2065 is affected by a Type Confusion in the VDasher constructor: a remote attacker might be able to access Telegram's heap memory out-of-bounds on a victim device.
CVE-2020-28642: A vulnerability in InfiniteWP allows unauthenticated users to log-in if they know an email address of one of the users in the system, this is done through a flaw in the password reset mechanism of the product. An additional vulnerability allows the attacker to achieve Remote Code Execution.
CVE-2020-28042: ServiceStack prior to version 5.9.2 is affected by a JWT signature verification bypass in the 'ServiceStack.Auth.JwtAuthProviderReader' method, which could be used to bypass the authentication mechanisms and/or to elevate privileges.
Bitwarden Server 1.35.1 is affected by a blind Server-Side Request Forgery (SSRF): an authenticated attacker can trigger arbitrary HTTP GET requests, even to locally exposed services, by adding a credential for a malicious domain.
Chadha PHPKB 9.0 Enterprise Edition is affected by an arbitrary file disclosure: installer/test-connection.php (part of the installation process) allows a remote unauthenticated attacker to disclose local files on hosts running PHP before 7.2.16, or on hosts where the MySQL ALLOW LOCAL DATA INFILE option is enabled.
LibreNMS 1.65 is affected by an authenticated command-injection vulnerability in the "/about" API endpoint. A "normal" privileges attacker can gain Remote Code Execution (RCE) on the LibreNMS host.