New Foswiki release 2.1.6 is available with important security fixes.
Sourceforge foswiki email lists being discontinued. Subscribe to the new Foswiki announce and discuss lists at MailingLists
IDEA! Get Alerted: to get immediate alerts of high priority security issues, please join the low-volume foswiki-announce list - details at MailingLists

txt plain text

Security Alert: Multiple vulnerabilities addressed in Foswiki-2.1.4.

This alert covers a number of Severity 3 issues corrected through the normal bugfix process.

XSS / JavaScript injection vulnerabilities:

Other security related issues

Severity Level

Severity 3 issue: Foswiki content or browser is compromised

The severity level was assigned by the Foswiki SecurityTaskTeam as documented in SecurityAlertProcess

Vulnerable Software Versions

Fixed in Foswiki 2.1.4


None of these issues are believed to result in compromise of the web server or of Foswiki data.


Details are available in the individual linked tasks. These will be available for viewing following the general release of Foswiki 2.1.4.


Good browser practices can now prevent most XSS injection attacks. We also recommend use of the appropriate Security headers. These can be set in the web server configuration.

Authors and Credits

Thanks to Tim Coen of Curesec GmbH for finding and reporting the XSS issues. And thanks to Maxime Besson who reported the issue with the systemd files.

Hotfix for Foswiki Production Release

No hotfixes are available for these vulnerabilities. Upgrade to Foswiki-2.1.4
Topic revision: r3 - 01 Jun 2017, GeorgeClark - This page was cached on 18 Mar 2018 - 02:18.

The copyright of the content on this website is held by the contributing authors, except where stated elsewhere. See Copyright Statement. Creative Commons License