Tenable has released security update to address a vulnerability in showdownjs. Exploitation of this vulnerability may allow an attacker to cause a denial of service condition.

Users and administrators are encouraged to review Tenable Security Advisory and apply necessary updates.

Debian has released security updates to address vulnerabilities in knot-resolver and iwd. Exploitation of these vulnerabilities may allow an attacker to gain unauthorized access.

Users and administrators are encouraged to review DebianOS Security Advisories msg00039 and msg00038 and apply necessary updates.

D-Link has released security updates to address a vulnerability and End-of-Life for D-Link DAP Access Point models. Exploitation of this vulnerability may allow an attacker to gain access to sensitive information.

Users and administrators are encouraged to review D-Link Security Advisories SAP10382 and SAP10380 and apply necessary updates.

IBM has released security updates to address vulnerabilities in its multiple products. Exploitation of these vulnerabilities may allow an attacker to take control of affected system.

Users and administrators are encouraged to review IBM Security Advisories dated 27^th February 2024 and apply necessary updates.

Advisory No: TZCERT/SA/2024/02/29

Date of First Release: 28^th February 2024

Source: securityaffairs

Software Affected:

• LiteSpeed Cache plugin for WordPress

Overview:

LiteSpeed Cache plugin for WordPress is affected by a vulnerability tracked as CVE-2023-40000 which allows unauthenticated site-wide stored XSS. Remote attacker can exploit the vulnerability to steal sensitive information or gain escalated privilege on the WordPress site.

Description:

The plugin LiteSpeed Cache (free version), a popular caching plugin in WordPress with over 4 million active installations is vulnerable due to the way it handles input from the user as it does not sanitize and escape the output. The vulnerability resides in the function ‘update_cdn_status’; where it stems from the construction of an HTML value directly from the POST body parameter for the admin notice message. Successful exploitation of this vulnerability allows unauthenticated stored XSS resulting in to stealing of sensitive information or privilege escalation on the WordPress site with a single HTTP request

Impact:

Successful exploitation of this vulnerability may allow the remote attacker to gain access to sensitive information.

Solution:

WordPress has released security update to resolve this vulnerability. Users and administrations are encouraged to update as soon as possible.

References:

1. https://securityaffairs.com/159667/hacking/litespeed-cache-plugin-xss.html