---+ Security Alert: Multiple vulnerabilities addressed in Foswiki-2.1.4.

This alert covers a number of Severity 3 issues corrected through the normal bugfix process.  

*XSS / JavaScript injection vulnerabilities:*
   * Foswikitask:Item14381 mod_perl unexpectedly decodes the URI, and X-FoswikiURI header should be debug only.
   * Foswikitask:Item14377 Error message from rest script requires some encoding.


*Other security related issues*
   * Foswikitask:Item14346 Systemd service file example runs foswiki as root.

---++ Severity Level

3

The severity level was assigned by the Foswiki Community.SecurityTaskTeam as documented in Development.SecurityAlertProcess

---++ Vulnerable Software Versions



---++ MITRE Name for this Vulnerability

The Common Vulnerabilities and Exposures project has assigned the name CVE- to this vulnerability, see http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-

---++ Impact

None of these issues are believed to result in compromise of the web server or of Foswiki data.

---++ Details

Details are available in the individual linked tasks. These will be available for viewing following the general release of Foswiki 2.1.4.

---++ Countermeasures

Good browser practices can now prevent most XSS injection attacks.  We also recommend use of the appropriate Security headers.  These can be set in the web server configuration.

---++ Authors and Credits

Thanks to Tim Coen of Curesec !GmbH for finding and reporting the XSS issues. And thanks to Maxime Besson who reported the issue with the systemd files.

---++ Hotfix for Foswiki Production Release

No hotfixes are available for these vulnerabilities. Upgrade to Foswiki-2.1.4