You are here: Foswiki>Support Web>KnownIssuesOfFoswiki01x01>SecurityAlerts (08 Mar 2023, MichaelDaum)Edit Attach

Security Alerts for Foswiki

Item Affects Fixed in Summary
SecurityAlert-CVE-2023-33756 1.0.0, 1.0.0-beta1, 1.0.0-beta2, 1.0.0-beta3, 1.0.1, 1.0.2, 1.0.3, 1.0.4, 1.0.5, 1.0.6, 1.0.7, 1.0.8, 1.0.9, 1.0.9-rc1, 1.0.9-RC2, 1.0.10, 1.0.10-rc1, 1.1.0, 1.1.0-beta1, 1.1.0-RC1, 1.1.1, 1.1.2, 1.1.3, 1.1.3-RC1, 1.1.4, 1.1.4-RC2, 1.1.5, 1.1.6, 1.1.7, 1.1.8, 1.1.9, 1.1.10, 1.1.10-RC1, 1.2.0_Beta_1, 1.2.0_Beta_2, 2.0.0, 2.0.0-RC1, 2.0.0-RC2, 2.0.1, 2.0.2, 2.0.3, 2.1.0, 2.1.0-Beta1, 2.1.1, 2.1.1-RC1, 2.1.1-RC2, 2.1.2, 2.1.3, 2.1.3-Beta1, 2.1.3-Beta2, 2.1.3-RC1, 2.1.4, 2.1.4-RC1, 2.1.4-RC2, 2.1.4-RC3, 2.1.5, 2.1.5-RC, 2.1.6, 2.1.7 Foswiki 2.1.8 SpreadSheetPlugin's EVAL feature exposes infromation about paths and files on the server
SecurityAlert-CVE-2023-24698 2.0.0, 2.0.0-RC1, 2.0.0-RC2, 2.0.1, 2.0.2, 2.0.3, 2.1.0, 2.1.0-Beta1, 2.1.1, 2.1.1-RC1, 2.1.1-RC2, 2.1.2, 2.1.3, 2.1.3-Beta1, 2.1.3-Beta2, 2.1.3-RC1, 2.1.4, 2.1.4-RC1, 2.1.4-RC2, 2.1.4-RC3, 2.1.5, 2.1.5-RC, 2.1.6, 2.1.7 Foswiki 2.1.8 Local file inclusion vulnerability in viewfile
SecurityAlert-CVE-2018-7446 1.1.0, 1.1.0-beta1, 1.1.0-RC1, 1.1.1, 1.1.2, 1.1.3, 1.1.3-RC1, 1.1.4, 1.1.4-RC2, 1.1.5, 1.1.6, 1.1.7, 1.1.8, 1.1.9, 1.1.10, 1.1.10-RC1, 1.2.0_Beta_1, 1.2.0_Beta_2, 2.0.0, 2.0.0-RC1, 2.0.0-RC2, 2.0.1, 2.0.2, 2.0.3, 2.1.0, 2.1.0-Beta1, 2.1.1, 2.1.1-RC1, 2.1.1-RC2, 2.1.2, 2.1.3, 2.1.3-Beta1, 2.1.3-Beta2, 2.1.3-RC1, 2.1.4, 2.1.4-RC1, 2.1.4-RC2, 2.1.4-RC3, 2.1.5, 2.1.5-RC Foswiki 2.1.6 User Registration process can be compromised through user registration.
SecurityAlert-CVE-2014-7237 1.0.0, 1.0.0-beta1, 1.0.0-beta2, 1.0.0-beta3, 1.0.1, 1.0.2, 1.0.3, 1.0.4, 1.0.5, 1.0.6, 1.0.7, 1.0.8, 1.0.9, 1.0.9-rc1, 1.0.9-RC2, 1.0.10, 1.0.10-rc1, 1.1.0, 1.1.0-beta1, 1.1.0-RC1, 1.1.1, 1.1.2, 1.1.3, 1.1.3-RC1, 1.1.4, 1.1.4-RC2, 1.1.5, 1.1.6, 1.1.7, 1.1.8, 1.1.9 Foswiki 2.0 Windows Apache server configured using .htaccess files can be compromised.
SecurityAlert-CVE-2013-1666 1.0.0, 1.0.0-beta1, 1.0.0-beta2, 1.0.0-beta3, 1.0.1, 1.0.2, 1.0.3, 1.0.4, 1.0.5, 1.0.6, 1.0.7, 1.0.8, 1.0.9, 1.0.9-rc1, 1.0.9-RC2, 1.0.10, 1.0.10-rc1, 1.1.0, 1.1.0-beta1, 1.1.0-RC1, 1.1.1, 1.1.2, 1.1.3, 1.1.3-RC1, 1.1.4, 1.1.4-RC2, 1.1.5, 1.1.6, 1.1.7 Foswiki 1.1.8 Code injection vulnerability in MAKETEXT macro
SecurityAlert-CVE-2012-6330 1.0.0, 1.0.0-beta1, 1.0.0-beta2, 1.0.0-beta3, 1.0.1, 1.0.2, 1.0.3, 1.0.4, 1.0.5, 1.0.6, 1.0.7, 1.0.8, 1.0.9, 1.0.9-rc1, 1.0.9-RC2, 1.0.10, 1.0.10-rc1, 1.1.0, 1.1.0-beta1, 1.1.0-RC1, 1.1.1, 1.1.2, 1.1.3, 1.1.3-RC1, 1.1.4, 1.1.4-RC2, 1.1.5, 1.1.6 Foswiki 1.1.7 Denial-of-Service vulnerability in MAKETEXT macro
SecurityAlert-CVE-2012-6329 1.0.0, 1.0.0-beta1, 1.0.0-beta2, 1.0.0-beta3, 1.0.1, 1.0.2, 1.0.3, 1.0.4, 1.0.5, 1.0.6, 1.0.7, 1.0.8, 1.0.9, 1.0.9-rc1, 1.0.9-RC2, 1.0.10, 1.0.10-rc1, 1.1.0, 1.1.0-beta1, 1.1.0-RC1, 1.1.1, 1.1.2, 1.1.3, 1.1.3-RC1, 1.1.4, 1.1.4-RC2, 1.1.5, 1.1.6 Foswiki 1.1.7 Code injection vulnerability in MAKETEXT macro
SecurityAlert-CVE-2012-1004 1.0.0, 1.0.1, 1.0.2, 1.0.3, 1.0.4, 1.0.5, 1.0.6, 1.0.7, 1.0.8, 1.0.9, 1.0.10, 1.1.0, 1.1.1, 1.1.2, 1.1.3, 1.1.4 Foswiki 1.1.5 Foswiki Script Insertion Vulnerability via unchecked user registration fields
SecurityAlert-CVE-2010-4215 1.1.0, 1.1.1 Foswiki 1.1.2 A normal user can alter topic preferences using the "Edit topic preference settings" feature and save them even though he has no privileges to edit the topic
SecurityAlert-CVE-2009-1434 1.0.0, 1.0.1, 1.0.2, 1.0.3, 1.0.4 Foswiki 1.0.6 Foswiki Page View Cross-Site Request Forgery (CSRF)
SecurityAlert-SlideShowPlugin-2011-0828 1.0.0, 1.0.0-beta1, 1.0.0-beta2, 1.0.0-beta3, 1.0.1, 1.0.2, 1.0.3, 1.0.4, 1.0.5, 1.0.6, 1.0.7, 1.0.8, 1.0.9, 1.0.9-rc1, 1.0.9-RC2, 1.0.10, 1.0.10-rc1, 1.1.0, 1.1.0-beta1, 1.1.0-RC1, 1.1.1, 1.1.2, 1.1.3, 1.1.3-RC1 Foswiki 1.1.4 SlideShowPlugin prior to version 2.1.4 has a cross site scripting vulnerability.
SecurityAlert-XSSIssues-2017-0201 1.0.0, 1.0.0-beta1, 1.0.0-beta2, 1.0.0-beta3, 1.0.1, 1.0.2, 1.0.3, 1.0.4, 1.0.5, 1.0.6, 1.0.7, 1.0.8, 1.0.9, 1.0.9-rc1, 1.0.9-RC2, 1.0.10, 1.0.10-rc1, 1.1.0, 1.1.0-beta1, 1.1.0-RC1, 1.1.1, 1.1.2, 1.1.3, 1.1.3-RC1, 1.1.4, 1.1.4-RC2, 1.1.5, 1.1.6, 1.1.7, 1.1.8, 1.1.9, 1.1.10, 1.1.10-RC1, 1.2.0_Beta_1, 1.2.0_Beta_2, 2.0.0, 2.0.0-RC1, 2.0.0-RC2, 2.0.1, 2.0.2, 2.0.3, 2.1.0, 2.1.0-Beta1, 2.1.1, 2.1.1-RC1, 2.1.1-RC2, 2.1.2 Foswiki 2.1.3 Multiple vulnerabilities addressed in Foswiki-2.1.3.
SecurityAlert-XSSIssues-2017-0501 1.0.0, 1.0.0-beta1, 1.0.0-beta2, 1.0.0-beta3, 1.0.1, 1.0.2, 1.0.3, 1.0.4, 1.0.5, 1.0.6, 1.0.7, 1.0.8, 1.0.9, 1.0.9-rc1, 1.0.9-RC2, 1.0.10, 1.0.10-rc1, 1.1.0, 1.1.0-beta1, 1.1.0-RC1, 1.1.1, 1.1.2, 1.1.3, 1.1.3-RC1, 1.1.4, 1.1.4-RC2, 1.1.5, 1.1.6, 1.1.7, 1.1.8, 1.1.9, 1.1.10, 1.1.10-RC1, 1.2.0_Beta_1, 1.2.0_Beta_2, 2.0.0, 2.0.0-RC1, 2.0.0-RC2, 2.0.1, 2.0.2, 2.0.3, 2.1.0, 2.1.0-Beta1, 2.1.1, 2.1.1-RC1, 2.1.1-RC2, 2.1.2, 2.1.3, 2.1.3-Beta1, 2.1.3-Beta2, 2.1.3-RC1 Foswiki 2.1.4 Multiple vulnerabilities addressed in Foswiki-2.1.4.

ALERT! NOTE: Please put any general security questions in the Support web, as support questions. New security holes found should follow the SecurityAlertProcess and any public discussion must be avoided. Ie. do not raise security reports as public bugs or support questions.
You can read the FAQ topic How to secure Foswiki against attacks
Edit  | Attach | Print version | History: r15 < r14 < r13 < r12 | Backlinks | View wiki text | Edit wiki text | More topic actions
Topic revision: r15 - 08 Mar 2023, MichaelDaum
The copyright of the content on this website is held by the contributing authors, except where stated elsewhere. See Copyright Statement. Creative Commons License    Legal Imprint    Privacy Policy