osTicket version 1.9.12 suffers from authentication bypass, session fixation, file upload, and cross site scripting vulnerabilities.
4a19a2aa2c84b0fa5c0f2520b95e243cb8d22dc866f5c95fa4f4089635a66cbc
Collabtive version 1.0 suffers from cross site scripting, remote shell upload, and arbitrary account deletion vulnerabilities.
db6047545975993b9eb3318de2e4ffdb0ea6799f5df0acdd3e8af273d4493481
Elgg version 1.8.8 suffers from an insecure installation vulnerability.
1e4bb604f2161f37a4acd42f8b02dc3f5b8876fc19bab006c1f3fd5af506bb3c
The Liferay JSON implementation does not check if a user calling a method on a serviceClass is disabled. Usually the default administrator user, test@liferay.com, is used to create a new administrator and disabled without a change to the default password, so it is possible to use it to execute JSON API calls. Versions 6.0.5 and 6.0.6 are vulnerable.
840d89136b0bbd34dcc7fbaa674c8f425af2c5bab7ef9bb1fac81338af82ef39