Nir Goldshlager

**Name of the Vulnerable Software and Affected Versions** WordPress versions 3.9.0 through 3.9.1 **Description** The issue in WordPress might allow remote attackers to execute arbitrary code via crafted serialized data in the widget implementation. **Recommendations** For WordPress versions 3.9.0 through 3.9.1, update to version 3.9.2 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** WordPress versions prior to 3.9.2 **Description** The issue allows remote attackers to bypass a CSRF protection mechanism via a brute-force attack. This is due to the different timing of rejecting invalid CSRF nonces depending on which characters in the nonce are incorrect. **Recommendations** For versions prior to 3.9.2, update to version 3.9.2 or later to resolve the issue. As a temporary workaround, consider implementing additional security measures to prevent brute-force attacks.

**Name of the Vulnerable Software and Affected Versions** WordPress versions prior to 3.9.2 **Description** A cross-site scripting (XSS) issue allows remote authenticated administrators to inject arbitrary web script or HTML and obtain Super Admin privileges via a crafted avatar URL when Multisite is enabled. **Recommendations** For versions prior to 3.9.2, update to version 3.9.2 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** ownCloud Server versions prior to 5.0.15 ownCloud Server versions 6.0.x prior to 6.0.2 **Description** The issue allows remote attackers to read arbitrary files, cause a denial of service, or possibly have other impact via an XML External Entity (XXE) attack. This is due to a vulnerability in the getID3() function. **Recommendations** For ownCloud Server versions prior to 5.0.15, update to version 5.0.15 or later. For ownCloud Server versions 6.0.x prior to 6.0.2, update to version 6.0.2 or later.

**Name of the Vulnerable Software and Affected Versions** Check Point Connectra NGX R62 versions 3.x and earlier before Security Hotfix 5 Check Point VPN-1 NGX R62 (affected versions not specified) **Description** The issue allows remote attackers to bypass security requirements. This is achieved by sending a crafted Report parameter to the sre/params.php file in the Integrity Clientless Security (ICS) component, which then returns a valid ICSCookie authentication token. **Recommendations** For Check Point Connectra NGX R62 versions 3.x and earlier, apply Security Hotfix 5 to resolve the issue. For Check Point VPN-1 NGX R62, at the moment, there is no information about a newer version that contains a fix for this vulnerability.