Kane Gamble

**Name of the Vulnerable Software and Affected Versions** Pega Platform versions 8.5.4 through 8.7.3 **Description** The issue is related to an XSS problem that can be exploited by an unauthenticated user, utilizing the redirect parameter. **Recommendations** For Pega Platform versions 8.5.4 through 8.7.3, consider restricting access to the redirect parameter to minimize the risk of exploitation until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Pega Platform versions 7.3 through 8.7.3 **Description** The issue is related to a misconfiguration of a datapage setting, leading to an XSS problem. **Recommendations** For versions 7.3 through 8.7.3, update the datapage setting configuration to prevent the XSS issue. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Pega Platform versions 8.3 through 8.7.3 **Description** The issue may allow authenticated security administrators to alter CSRF settings directly. **Recommendations** For Pega Platform versions 8.3 through 8.7.3, consider restricting access to CSRF settings for authenticated security administrators until a fix is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** GiveWP plugin for WordPress versions up to, and including, 2.20.2 **Description** The issue allows unauthenticated users to access donor information through the "/donor-wall" REST-API endpoint, even when the donor wall is not enabled. This functionality has been removed in version 2.20.2. **Recommendations** For versions up to, and including, 2.20.2, update to a version where this functionality has been removed, such as version 2.20.2 or later, to prevent unauthenticated access to donor information via the "/donor-wall" REST-API endpoint. As a temporary workaround, consider disabling the "/donor-wall" REST-API endpoint until a patch is available.

**Name of the Vulnerable Software and Affected Versions** wire-webapp versions prior to 2021-06-01-production.0 **Description** A cross-site scripting issue exists in the web version of Wire, an open-source messenger. If a user opens an image in a new tab, the image payload is executed on the domain hosting the app. This allows malicious code within the image to be executed, potentially giving an attacker full control over the user account. **Recommendations** For versions prior to 2021-06-01-production.0, update to version 2021-06-01-production.0 to resolve the issue. As a temporary workaround, users should not try to open image URLs.