The MuleSoft Mule Community Edition runtime engine before 3.8 allows remote attackers to execute arbitrary code because of Java Deserialization, related to Apache Commons Collections

Directory Traversal in APIkit, HTTP connector, and OAuth2 Provider components in MuleSoft Mule Runtime 3.2.0 and higher released before August 1 2019, MuleSoft Mule Runtime 4.1.0 and higher released before August 1 2019, and all versions of MuleSoft API Gateway released before August 1 2019 allow remote attackers to read files accessible to the Mule process.

Mule Enterprise Management Console (MMC) does not properly restrict access to handler/securityService.rpc, which allows remote authenticated users to gain administrator privileges and execute arbitrary code via a crafted request that adds a new user. NOTE: this issue was originally reported for ESB Runtime 3.5.1, but it originates in MMC.

The logging feature in eMule Plus before 1.2e allows remote attackers to cause a denial of service (infinite loop) via unspecified attack vectors.

Incomplete blacklist vulnerability in DownloadListCtrl.cpp in amule 2.2.4 allows remote attackers to conduct argument injection attacks into a command for mplayer via a crafted filename.

Buffer overflow in Uploadlist in eMule X-Ray before 1.4 has unknown impact and remote attack vectors.

Unspecified vulnerability in eMule Plus before 1.2d has unknown impact and attack vectors related to "staticservers.dat processing."

Multiple unspecified vulnerabilities in aMuleWeb for AMule before 2.1.2 allow remote attackers to read arbitrary image, HTML, or PHP files via unknown vectors, probably related to directory traversal.

Unspecified "information leakage" vulnerabilities in aMuleWeb for AMule before 2.1.2 allow remote attackers to access arbitrary images, including dynamically generated images, via unknown vectors.

Stack-based buffer overflow in DecodeBase16 function, as used in the (1) IRC module and (2) web server in eMule 0.42d, allows remote attackers to execute arbitrary code via a long string.