Xiaoyong Wu

**Name of the Vulnerable Software and Affected Versions** AMP for WP – Accelerated Mobile Pages plugin for WordPress versions prior to 1.1.2 **Description** The AMP for WP – Accelerated Mobile Pages plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the `disqus name` parameter due to insufficient input validation. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. **Recommendations** Update to the latest version to secure your site. As a temporary workaround, consider restricting the use of the `disqus name` parameter until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Apple OS X versions prior to 10.10.5 **Description** The issue is related to an XML External Entity (XXE) problem in the Text Formats component, which can be exploited by remote attackers to read arbitrary files. This can be achieved through a text file containing an XML external entity declaration in conjunction with an entity reference. The vulnerability is associated with a lack of protection for service data, allowing a remote attacker to exploit it and read arbitrary files using a text file with XML references to external entities. **Recommendations** For Apple OS X versions prior to 10.10.5, update to version 10.10.5 or later to resolve the issue. As a temporary workaround, consider restricting the use of the Text Formats component in TextEdit until the update is applied. Avoid using the TextEdit application with untrusted text files until the issue is resolved.