CVSS: 6.1EPSS: 0%CPEs: 13EXPL: 0CVE-2010-0736
https://notcve.org/view.php?id=CVE-2010-0736
19 Mar 2010 — Cross-site scripting (XSS) vulnerability in the view_queryform function in lib/viewvc.py in ViewVC before 1.0.10, and 1.1.x before 1.1.4, allows remote attackers to inject arbitrary web script or HTML via "user-provided input." Vulnerabilidad de secuencias de comandos en sitios cruzados (XSS) en la función view_queryform en lib/viewvc.py en ViewVC anterior a v1.0.10, y v1.1.x anterior a v1.1.4, permite a atacantes remotos inyectar código web o HTML de su elección a través de "user-provided input." • http://viewvc.tigris.org/source/browse/viewvc/trunk/CHANGES?r1=2313&r2=2342&pathrev=HEAD • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.5EPSS: 0%CPEs: 11EXPL: 0CVE-2010-0004
https://notcve.org/view.php?id=CVE-2010-0004
29 Jan 2010 — ViewVC before 1.1.3 composes the root listing view without using the authorizer for each root, which might allow remote attackers to discover private root names by reading this view. ViewVc anterior a v1.1.3, compone la vista del listado root sin emplear la autorización para cada root, lo que podría permitir a atcantes remotos descubrir los nombres privados de root leyendo esta vista. • http://lists.opensuse.org/opensuse-security-announce/2010-01/msg00009.html • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 9.1EPSS: 0%CPEs: 11EXPL: 0CVE-2010-0005
https://notcve.org/view.php?id=CVE-2010-0005
29 Jan 2010 — query.py in the query interface in ViewVC before 1.1.3 does not reject configurations that specify an unsupported authorizer for a root, which might allow remote attackers to bypass intended access restrictions via a query. query.py en el interfaz de consultas en ViewVC anterior a v 1.1.3., no rechaza las configuraciones que especifican un autorizador no soportado para root, lo que podría pertmitir a atacantes remotos evitar las restricciones de acceso establecidas a través de una consulta. • http://lists.opensuse.org/opensuse-security-announce/2010-01/msg00009.html • CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 6.1EPSS: 0%CPEs: 10EXPL: 0CVE-2009-3618
https://notcve.org/view.php?id=CVE-2009-3618
10 Nov 2009 — Cross-site scripting (XSS) vulnerability in viewvc.py in ViewVC 1.0 before 1.0.9 and 1.1 before 1.1.2 allows remote attackers to inject arbitrary web script or HTML via the view parameter. NOTE: some of these details are obtained from third party information. Vulnerabilidad de ejecución de secuencias de comandos en sitios cruzados (XSS) en viewvc.py en ViewVC v1.0 anterior a v1.0.9 y v1.1 anterior a v1.1.2, permite a atacantes remotos inyectar secuencias de comandos web o HTML de su elección a través del pa... • http://lists.opensuse.org/opensuse-security-announce/2009-10/msg00004.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.8EPSS: 0%CPEs: 10EXPL: 0CVE-2009-3619
https://notcve.org/view.php?id=CVE-2009-3619
10 Nov 2009 — Unspecified vulnerability in ViewVC 1.0 before 1.0.9 and 1.1 before 1.1.2 has unknown impact and remote attack vectors related to "printing illegal parameter names and values." Vulnerabilidad sin especificar en ViewVC v1.0 anterior a v1.0.9 y v1.1 anterior a v1.1.2, tiene un impacto y vectores de ataque desconocidos relacionado con la "impresión ilegal de nombres de parámetros y valores". • http://lists.opensuse.org/opensuse-security-announce/2009-10/msg00004.html •
CVSS: 5.8EPSS: 0%CPEs: 1EXPL: 0CVE-2008-4325
https://notcve.org/view.php?id=CVE-2008-4325
30 Sep 2008 — lib/viewvc.py in ViewVC 1.0.5 uses the content-type parameter in the HTTP request for the Content-Type header in the HTTP response, which allows remote attackers to cause content to be misinterpreted by the browser via a content-type parameter that is inconsistent with the requested object. NOTE: this issue might not be a vulnerability, since it requires attacker access to the repository that is being viewed. lib/viewvc.py en ViewVC v1.0.5 utiliza el parametro "content-type" en la peticion HTTP para la cabe... • http://viewvc.tigris.org/issues/show_bug.cgi?id=354 •
CVSS: 7.5EPSS: 0%CPEs: 5EXPL: 0CVE-2008-1290
https://notcve.org/view.php?id=CVE-2008-1290
24 Mar 2008 — ViewVC before 1.0.5 includes "all-forbidden" files within search results that list CVS or Subversion (SVN) commits, which allows remote attackers to obtain sensitive information. ViewVC antes de 1.0.5 incluye archivos "all-forbidden" (todo prohibido) dentro de resultados de búsqueda que listan asignaciones CVS o Subversion (SVN), lo que permite a atacantes remotos obtener información sensible. • http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=471380 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 7.5EPSS: 0%CPEs: 5EXPL: 0CVE-2008-1291
https://notcve.org/view.php?id=CVE-2008-1291
24 Mar 2008 — ViewVC before 1.0.5 stores sensitive information under the web root with insufficient access control, which allows remote attackers to read files and list folders under the hidden CVSROOT folder. ViewVC before 1.0.5 almacena información sensible bajo la raíz web con un control de acceso insuficiente, lo que permite a atacantes remotos leer archivos y listar carpetas bajo la carpeta oculta CVSROOT. • http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=471380 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 5.3EPSS: 0%CPEs: 5EXPL: 0CVE-2008-1292
https://notcve.org/view.php?id=CVE-2008-1292
24 Mar 2008 — ViewVC before 1.0.5 provides revision metadata without properly checking whether access was intended, which allows remote attackers to obtain sensitive information by reading (1) forbidden pathnames in the revision view, (2) log history that can only be reached by traversing a forbidden object, or (3) forbidden diff view path parameters. ViewVC before 1.0.5 proporciona revisión de metadatos sin comprobar correctamente si el acceso fue intencionado, lo que permite a atacantes remotos obtener información sens... • http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=471380 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 6.8EPSS: 1%CPEs: 1EXPL: 0CVE-2006-5442
https://notcve.org/view.php?id=CVE-2006-5442
21 Oct 2006 — ViewVC 1.0.2 and earlier does not specify a charset in its HTTP headers or HTML documents, which allows remote attackers to conduct cross-site scripting (XSS) attacks that inject arbitrary UTF-7 encoded JavaScript code via a view. ViewVC 1.0.2 y anteriores no especifica un charset en su cabecera HTTP o documentos HTML, lo cual permite a un atacante remoto llevar a cabo un ataque de secuencias de comandos en sitios cruzados que inyectan código JavaScript UTF-7 de su elección a a través de una vista. • http://secunia.com/advisories/22395 •