Tony

**Name of the Vulnerable Software and Affected Versions** Jeg Kit for Elementor WordPress plugin versions prior to 2.7.0 **Description** The Jeg Kit for Elementor WordPress plugin does not properly sanitize SVG file contents when uploaded through the `xmlrpc.php` file, which can result in a cross-site scripting issue. The vulnerable upload process occurs when handling SVG files, potentially allowing an attacker to inject malicious code. **Recommendations** Update the Jeg Kit for Elementor WordPress plugin to version 2.7.0 or later.

**Name of the Vulnerable Software and Affected Versions** The Ultimate Addons for Elementor (Formerly Elementor Header & Footer Builder) versions prior to 2.5.0 **Description** The software does not properly sanitize SVG file contents when uploaded. This occurs when using the `xmlrpc.php` endpoint with base64 encoding, which can lead to a Cross-Site Scripting issue. The vulnerable endpoint is `/xmlrpc.php`. The vulnerable operation involves uploading SVG files using base64 encoded data. **Recommendations** Update The Ultimate Addons for Elementor (Formerly Elementor Header & Footer Builder) to version 2.5.0 or later.

Name of the Vulnerable Software and Affected Versions: smallweigit Avue versions up to 3.4.4 Description: A problematic vulnerability was found in the avueUeditor component, leading to cross site scripting. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The code maintainer notes that "rich text is no longer maintained". Recommendations: For versions up to 3.4.4, consider disabling the avueUeditor component to minimize the risk of exploitation until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Samsung Pay versions prior to 4.0.65 **Description** The issue is related to an improper check or handling of exception conditions, which allows an attacker to use NFC without user recognition. **Recommendations** For versions prior to 4.0.65, update to version 4.0.65 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Traveloka application version 3.14.0 **Description** The issue allows for the opening of arbitrary URLs, potentially injecting deceptive content into the UI. When in physical possession of the device, it is also possible to open local files. The vendor has stated that the issue is not critical as it does not allow elevation of privilege, sensitive data leakage, or critical unauthorized activity from a malicious user, and requires the installation of a malicious APK. **Recommendations** For Traveloka application version 3.14.0, consider restricting access to the `com.traveloka.android.activity.common.WebViewActivity` component to minimize the risk of exploitation. As a temporary workaround, avoid using the application for sensitive activities until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.