Code injection

Gxlcms uses an unsafe character-replacement approach in an attempt to restrict access, which allows remote attackers to read arbitrary files via modified pathnames in the s parameter to index.php, related to Lib/Admin/Action/TplAction.class.php and Lib/Admin/Common/function.php...

Directory traversal

Unspecified vulnerability in Secure Elements Class 5 AVR client and server aka C5 EVM before 2.8.1 allows authenticated attackers to overwrite arbitrary files 1 on a server during an update or 2 on a client via modified pathnames, possibly due to a directory traversal issue...