The ThemeREX Addons plugin before 2020-03-09 for WordPress lacks access control on the /trx_addons/v2/get/sc_layout REST API endpoint, allowing for PHP functions to be executed by any users, because includes/plugin.rest-api.php calls trx_addons_rest_get_sc_layout with an unsafe sc parameter.

AirTies Air5341 1.0.0.12 devices allow cgi-bin/login CSRF.

AirTies Air 5442 devices with software 1.0.0.18 have XSS via the top.html productboardtype parameter.

AirTies Air 5453 devices with software 1.0.0.18 have XSS via the top.html productboardtype parameter.

AirTies Air 5021 devices with software 1.0.0.18 have XSS via the top.html productboardtype parameter.

AirTies Air 5750 devices with software 1.0.0.18 have XSS via the top.html productboardtype parameter.

AirTies Air 5343v2 devices with software 1.0.0.18 have XSS via the top.html productboardtype parameter.

AirTies Air 5443v2 devices with software 1.0.0.18 have XSS via the top.html productboardtype parameter.

AirTies Air 5650 devices with software 1.0.0.18 have XSS via the top.html productboardtype parameter.

Adobe Flash Player before 11.7.700.275 and 11.8.x through 13.0.x before 13.0.0.182 on Windows and OS X and before 11.2.202.350 on Linux, Adobe AIR before 13.0.0.83 on Android, Adobe AIR SDK before 13.0.0.83, and Adobe AIR SDK & Compiler before 13.0.0.83 allow attackers to bypass intended access restrictions and obtain sensitive information via unspecified vectors.