CVE-2020-13761

In Joomla! before 3.9.19, lack of input validation in the heading tag option of the “Articles – Newsflash” and “Articles – Categories” modules allows XSS.

CVE-2020-13764

common.php in the Gravity Forms plugin before 2.4.9 for WordPress can leak hashed passwords because user_pass is not considered a special case for a $current_user->get($property) call.