The maketemp.pl script in Usermin 1.070 and 1.080 allows local users to overwrite arbitrary files at install time via a symlink attack on the /tmp/.usermin directory.

Kolab stores OpenLDAP passwords in plaintext in the slapd.conf file, which may be installed world-readable, which allows local users to gain privileges.

Directory traversal vulnerability in RobTex Viking Web server before 1.07-381 allows remote attackers to read arbitrary files via a hexadecimal encoded dot-dot attack (eg. http://www.server.com/%2e%2e/%2e%2e) in an HTTP URL request.