Pedro Pinho

**Name of the Vulnerable Software and Affected Versions** Eupago Gateway For Woocommerce WordPress plugin versions prior to 4.7.2 **Description** The plugin fails to properly restrict access to its refund request handler. This allows unauthenticated attackers to initiate refunds for any WooCommerce order using the merchant's payment gateway credentials. For certain payment methods, this can be used to redirect the refunded funds to a bank account controlled by the attacker. **Recommendations** Update to version 4.7.2 or later.

**Name of the Vulnerable Software and Affected Versions** Portal for ArcGIS versions <=11.1 **Description** The issue is related to a Cross-site Scripting vulnerability that may allow a remote, authenticated attacker to create a crafted link. When an authenticated user opens their bio page, it will render an image in the victim's browser. The privileges required to execute this attack are low. **Recommendations** For Portal for ArcGIS versions <=11.1, update to a version greater than 11.1 to resolve the issue. As a temporary workaround, consider restricting access to bio pages for authenticated users until a patch is available.