In Apache Fineract 0.4.0-incubating, 0.5.0-incubating, and 0.6.0-incubating, an authenticated user with client/loan/center/staff/group read permissions is able to inject malicious SQL into SELECT queries. The 'sqlSearch' parameter on a number of endpoints is not sanitized and appended directly to the query.
An issue was discovered in the responsive-coming-soon-page plugin 1.1.18 for WordPress. XSS exists via the wp-admin/admin.php button_text_link parameter.
The isearch package (textproc/isearch) before 1.47.01nb1 uses the tempnam() function to create insecure temporary files into a publicly-writable area (/tmp).
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none.