CVE-2019-10406 (jenkins)

Jenkins 2.196 and earlier, LTS 2.176.3 and earlier did not restrict or filter values set as Jenkins URL in the global configuration, resulting in a stored XSS vulnerability exploitable by attackers with Overall/Administer permission.

CVE-2008-3872 (flash_player)

Adobe Flash Player and earlier, and 9.x up to, allows remote attackers to bypass the allowScriptAccess parameter setting via a crafted SWF file with unspecified “Filter evasion” manipulations.