txt plain text

Security Alert: Multiple vulnerabilities addressed in Foswiki-2.1.3.

IDEA! Get Alerted: to get immediate alerts of high priority security issues, please join the low-volume foswiki-announce list - details at MailingLists

This alert covers a number of Severity 3 issues corrected through the normal bugfix process.

XSS / JavaScript injection vulnerabilities:

  • Foswikitask:Item14069: The bin/attach script does not encode the uploaded filename. This can inject javascript into the response. filename, filepath and newname all require encoding.
  • Foswikitask:Item14125: SlideShowPlugin inserts the querstring into the hover text of the start slideshow button, allowing javascript insertion.
  • Foswikitask:Item14171: JQuery Render fails to encode the template name. A crafted URL can inject javascript into the error message for a missing/invalid template.
  • Foswikitask:Item14235: Multiple script injection paths through the edit action, redirectto and templatetopic parameters. URL redirector abuse in the more template.
  • Foswikitask:Item14287: Its possible to inject javascript into the configure via the Extensions Installer default settings provided by the installed extension.

Other security related issues

  • Foswikitask:Item14139: debugenableplugins can be set by users. This flag is supposed to only be accessible to Foswiki installations with DEBUG enabled. Users could potentially use this option to disable security related extensions, such as Anti-spam extensions. This was initially resolved in Foswikitask:Item12875 but was implemented incorrectly.
  • Foswikitask:Item14281: On secure sites (https://) not all cookies have the Secure flag set. The critical Foswiki Session cookie does have the secure flag set.

Severity Level

Severity 3 issue: Foswiki content or browser is compromised

The severity level was assigned by the Foswiki SecurityTaskTeam as documented in SecurityAlertProcess

Vulnerable Software Versions

Fixed in Foswiki 2.1.3


None of these issues are believed to result in compromise of the web server or of Foswiki data.


Details are available in the individual linked tasks. These will be available for viewing following the general release of Foswiki 2.1.3.


Good browser practices can now prevent most XSS injection attacks. We also recommend use of the appropriate Security headers. These can be set in the web server configuration.

Authors and Credits

Hotfix for Foswiki Production Release

No hotfixes are available for these vulnerabilities. Upgrade to Foswiki-2.1.3
Topic revision: r5 - 08 Mar 2023, MichaelDaum
The copyright of the content on this website is held by the contributing authors, except where stated elsewhere. See Copyright Statement. Creative Commons License    Legal Imprint    Privacy Policy