A crafted URI sent to httpd configured as a forward proxy (ProxyRequests on) can cause a crash (NULL pointer dereference) or, for configurations mixing forward and reverse proxy declarations, can allow for requests to be directed to a declared Unix Domain Socket endpoint (Server Side Request Forgery). This issue affects Apache HTTP Server 2.4.7 up to 2.4.51 (included).

Apache Log4j2 versions 2.0-alpha1 through 2.16.0 (excluding 2.12.3 and 2.3.1) did not protect from uncontrolled recursion from self-referential lookups. This allows an attacker with control over Thread Context Map data to cause a denial of service when a crafted string is interpreted. This issue was fixed in Log4j 2.17.0, 2.12.3, and 2.3.1.

In JetBrains YouTrack Mobile before 2021.2, access token protection on Android is incomplete.

JetBrains YouTrack before 2021.3.23639 is vulnerable to Host header injection.

JetBrains YouTrack before 2021.3.24402 is vulnerable to stored XSS.

JetBrains YouTrack Mobile before 2021.2, is missing the security screen on Android and iOS.

In JetBrains YouTrack Mobile before 2021.2, access token protection on iOS is incomplete.

In JetBrains YouTrack Mobile before 2021.2, task hijacking on Android is possible.

In JetBrains YouTrack Mobile before 2021.2, iOS URL scheme hijacking is possible.

In JetBrains YouTrack Mobile before 2021.2, the client-side cache on iOS could contain sensitive information.