D0Nut

**Name of the Vulnerable Software and Affected Versions** HashiCorp Vault versions prior to 1.14.10 HashiCorp Vault versions prior to 1.15.5 **Description** The issue is related to errors in the procedure for confirming the authenticity of certificates. An attacker may be able to craft a malicious certificate to bypass authentication when the TLS certificate authentication method is configured with a non-CA certificate as a trusted certificate. **Recommendations** For HashiCorp Vault versions prior to 1.14.10, update to version 1.14.10 or later to resolve the issue. For HashiCorp Vault versions prior to 1.15.5, update to version 1.15.5 or later to resolve the issue. As a temporary workaround, consider restricting the use of the TLS certificate authentication method until a patch is available.

**Name of the Vulnerable Software and Affected Versions** SVG Support plugin for WordPress versions up to, and including, 2.5.5 **Description** The issue is related to Stored Cross-Site Scripting via the SVG upload feature due to insufficient input sanitization and output escaping. This allows authenticated attackers with author-level access and above to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. Successful exploitation requires the administrator to allow author-level users to upload SVG files. **Recommendations** For versions up to, and including, 2.5.5, consider disabling the SVG upload feature until a patch is available to prevent exploitation. Restrict access to the `SVG upload` feature to minimize the risk of arbitrary web script injection. Avoid allowing author-level users to upload SVG files until the issue is resolved.