Critical Foswiki Vulnerablities: A Logic Error Turned Remote Code Execution 

11. July 2023

Our Pentest Professionals at usd HeroLab love open source software as much as anyone. However, it should be secure as well. This is why Christian Pöschl, Senior Consultant IT Security at usd HeroLab, took a closer look at the open source software "Foswiki" in the context of our mission more security. He identified several vulnerabilities that allowed attackers to inject and execute malicious code remotely (remote code execution).

All vulnerabilities were reported to the developers according to our Responsible Disclosure Policy and were quickly fixed by the release of the TopicInteractionPlugin version 9.20.

Our Pentest Professionals wrote this blog to raise awareness of these attack vectors and to help other IT security professionals and system administrators to identify and fix these vulnerabilities.

A detailed description can be found in our LabNews: https://herolab.usd.de/en/critical-foswiki-vulnerablities-a-logic-error-turned-remote-code-execution/

More details about the identified vulnerabilities can be found here: https://herolab.usd.de/en/security-advisories/

Also interesting:

A5: BSI Publishes New Audit Framework for Trustworthy AI

A5: BSI Publishes New Audit Framework for Trustworthy AI

The German Federal Office for Information Security (BSI) has published the Community Draft of the AI Audit and Assurance Assessment Architecture (A5) (currently available in German only), thus starting the consultation phase. A5 is intended to create a standardized...

AI Vulnerability Storm: When a Lack of Speed Becomes a Risk

AI Vulnerability Storm: When a Lack of Speed Becomes a Risk

Current developments in AI systems show that vulnerabilities are found more quickly, suitable exploits are developed more quickly, and attacks are increasingly implemented automatically. This significantly reduces the time between discovery and exploitation. What used...

Bafin Publishes 9th Amendment to MaRisk

Bafin Publishes 9th Amendment to MaRisk

On 30 June 2026, all credit institutions and financial services institutions in Germany received an important circular: Following the consultation phase, the German Federal Financial Supervisory Authority (Bafin) published the 9th amendment to its Minimum Requirements...

Categories

Categories