txt plain text

Security Alert: Multiple vulnerabilities addressed in Foswiki-2.1.4.

IDEA! Get Alerted: to get immediate alerts of high priority security issues, please join the low-volume foswiki-announce list - details at MailingLists

This alert covers a number of Severity 3 issues corrected through the normal bugfix process.

XSS / JavaScript injection vulnerabilities:

Other security related issues

Severity Level

Severity 3 issue: Foswiki content or browser is compromised

The severity level was assigned by the Foswiki SecurityTaskTeam as documented in SecurityAlertProcess

Vulnerable Software Versions

Fixed in Foswiki 2.1.4

Impact

None of these issues are believed to result in compromise of the web server or of Foswiki data.

Details

Details are available in the individual linked tasks. These will be available for viewing following the general release of Foswiki 2.1.4.

Countermeasures

Good browser practices can now prevent most XSS injection attacks. We also recommend use of the appropriate Security headers. These can be set in the web server configuration.

Authors and Credits

Thanks to Tim Coen of Curesec GmbH for finding and reporting the XSS issues. And thanks to Maxime Besson who reported the issue with the systemd files.

Hotfix for Foswiki Production Release

No hotfixes are available for these vulnerabilities. Upgrade to Foswiki-2.1.4
Topic revision: r4 - 08 Mar 2023, MichaelDaum
The copyright of the content on this website is held by the contributing authors, except where stated elsewhere. See Copyright Statement. Creative Commons License    Legal Imprint    Privacy Policy