This release contains 61 fixes relative to 2.1.7, including 9 critical security related fixes.
Most notable are:
CVE-2023-33756: SpreadSheetPlugin's EVAL feature exposes information about paths and files on the server
CVE-2023-24698: Local file inclusion vulnerability in viewfile
But also:
directories in working directory are created as world writable 777 permissions
possible XSS attack in attachment comments
restricted allowed protocols to http and https, i.e. forbid file protocol for local file inclusion
prevent symlink attacks by defaulting to a secure location for temporary files
update to jquery-ui 1.13.2
backport patch to earlier jQuery versons to fix a potential XSS vulnerability
possible XSS vulnerability in topic title field
Reverse proxing Foswiki
Foswiki can now properly be run behind a reverse proxy reading a X-Forwarded-For http header. This resulted in mixed content before while rendering HTML.