Item11087: SlideShowPlugin must urlencode both the name and value of query parameters

SlideShowPlugin must urlencode both the name and value of query parameters

Only the value was encoded which meant that the name could be things other than the name of a parameter. Thing we do not want.

-- KennethLavrsen - 28 Aug 2011

The patched plugin has been released in Extensions web.

-- KennethLavrsen - 28 Aug 2011

This issue was triaged as a Severity 3 issue per SecurityAlertProcess

As it is a pure simple XSS thing and contained within a plugin we decided to release the plugin itself and annouce this in the foswiki-announce mailing list. We also decided not to hurry out 1.1.4 as we have a few important bug fixes we want to include in 1.1.4.

The download page for 1.1.3 has a note about updating the SlideShowPlugin. Also the KnownIssuesOfFoswiki01x01 and SecurityAlerts pages are updated.

Per policy only level 1 and 2 alerts require a CVE. We have used CVE for XSS and CSRF vectors when the issue was severe. But here it related to one slide show page so it is not needed to use the big canon.

-- KennethLavrsen - 28 Aug 2011

Commenting is disabled while not logged in