Moodle before 2.2.2 has an external enrolment plugin context check issue where capability checks are not thorough

Moodle before 2.2.2: Course information leak via hidden courses being displayed in tag search results

Moodle before 2.2.2 has a password and web services issue where when the user profile is updated the user password is reset if not specified.

Moodle has a database activity export permission issue where the export function of the database activity module exports all entries even those from groups the user does not belong to

Moodle before 2.2.2 has users' private files included in course backups

SubTypeValidator.java in FasterXML jackson-databind before 2.9.9.2 mishandles default typing when ehcache is used (because of net.sf.ehcache.transaction.manager.DefaultTransactionManagerLookup), leading to remote code execution.

tuned before 2.x allows local users to kill running processes due to insecure permissions with tuned's ktune service.

MantisBT 1.2.12 before 1.2.15 allows authenticated users to by the workflow restriction and close issues.

A cross-site scripting (XSS) vulnerability in MantisBT 1.2.14 allows remote attackers to inject arbitrary web script or HTML via a version, related to deleting a version.

A Polymorphic Typing issue was discovered in FasterXML jackson-databind before 2.9.10. It is related to com.zaxxer.hikari.HikariDataSource. This is a different vulnerability than CVE-2019-14540.