Hello Michael, Thank you for bringing this to oss-security.
On Sun, Mar 15, 2026 at 03:06:24PM +0100, Michael Daum wrote: > Foswiki 2.1.11 is available to downloaded now. This release came > earlier than expected due to the severe security issues found in > previous versions, as detailed in CVE-2026-2861. > Read more at https://foswiki.org/Blog/Foswiki2111IsReleased and > https://foswiki.org/System/ReleaseNotes02x01#Foswiki_Release_2.1.11_Details > > Donwload from https://foswiki.org/Download/FoswikiRelease02x01x11 We require actual detail in here, not just "read more at", and the above web pages don't tell much about the CVE. There's some actual detail in: https://foswiki.org/Support/SecurityAlertCVE20262861 which I'll partially quote below: > Security Alert: Information disclosure vulnerability in viewfile, oops, > preview and changes endpoints > 15 March 2026 - 14:30 | Version 4 | Michael Daum > > An anonymous user can craft an HTTP url to oops, preview, changes and > viewfile endpoint to disclose access protected information. > Attack Vectors > > An anonymous user can craft an HTTP url to the oops, changes or preview > endpoint and disclose protected information. For example > https://mysite.com/bin/oops/Web/SecretTopicWithFormData?template=view will > disclose any data stored a the given page. Given a topic without view rights > an unauthorized user can test for the existence of attachments using > viewfile. The endpoint's order of checking acccess rights and checking file > existence is performend in the wrong order. > > Impact > > Information disclosure of private data. > > Details > > The changes script does not check access view rights on the topic it was > loaded on. This is a security problem for any template loading additional > data at this point. This endpoint has been deprecated for a long time and > does not serve any particular purpose anymore. > > The viewfile's order of checking acccess rights and checking file existence > is performend in the wrong order. It foremost needs to check access and only > then do anything else. > > The oops endpoint accepts an arbitrary template url parameter such as > template=view and thus functions as a normal view endpoint, however without > performing any access control checks. Similarly preview can be exploited. > > Countermeasures > > To minimize the attack surface endpoints changes, preview and search are > removed from the switch board configuration. See hotfix in Item15600: changes > and preview scripts do not check view access rights, Item15601: viewfile can > be used to test for existing files even without view rights on the topic and > Item15602: oops script can be used to display data even without view access > rights. > > Upgrade to the latest patched production Foswiki Release 2.1.11 is highly > encourage. > > Authors and Credits > > Found by: Jan Seebens (Deutsche Telekom Technik GmbH) and Michael Daum > Consulting > > Action Plan with Timeline > > 2026-01-12 - Disclosure of issue to foswiki security mailing list > 2026-01-12 - Developer verifies issue > 2026-01-12 - Hotfix foswiki.org website > 2026-01-17 - Developer fixes code > 2026-02-20 - Security team creates advisory with hotfix > > 2026-02-?? - Release Manager builds patch release > 2026-02-?? - Send alert to foswiki-announce and foswiki-discuss mailing > lists > 2026-02-?? - Publish advisory in Support web and update all related topics > 2026-02-?? - Reference to public advisory on Download page and Known > Issues > 2026-02-?? - Issue a public security advisory ([email protected], > [email protected], [email protected] [email protected] > [email protected]), https://openwall.com/lists/oss-security > (name) Alexander
