CVE-2012-3357
https://notcve.org/view.php?id=CVE-2012-3357
The SVN revision view (lib/vclib/svn/svn_repos.py) in ViewVC before 1.1.15 does not properly handle log messages when a readable path is copied from an unreadable path, which allows remote attackers to obtain sensitive information, related to a "log msg leak." La revisión de la vista SVN (lib/vclib/svn/svn_repos.py) en ViewVC anterior a 1.1.15 no controla correctamente los mensajes de registro cuando se copia un camino legible de una ruta ilegible, lo que permite a atacantes remotos obtener información sensible, relacionada con un "log msg leak". • http://osvdb.org/83227 http://viewvc.tigris.org/source/browse/viewvc?view=rev&revision=2758 http://www.debian.org/security/2012/dsa-2563 http://www.mandriva.com/security/advisories?name=MDVSA-2013:134 http://www.openwall.com/lists/oss-security/2012/06/25/8 http://www.securityfocus.com/bid/54199 https://exchange.xforce.ibmcloud.com/vulnerabilities/76615 https://lwn.net/Articles/505096 https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-0175 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVE-2009-5024
https://notcve.org/view.php?id=CVE-2009-5024
ViewVC before 1.1.11 allows remote attackers to bypass the cvsdb row_limit configuration setting, and consequently conduct resource-consumption attacks, via the limit parameter, as demonstrated by a "query revision history" request. ViewVC antes de v1.1.11 permite a atacantes remotos saltar la opción de configuración de cvsdb que limita el número de columnas, y por lo tanto realizar ataques de consumo de recursos, a través del parámetro límite,como se demuestra con una petición de "consulta al historial de revisiones" • http://openwall.com/lists/oss-security/2011/05/19/1 http://openwall.com/lists/oss-security/2011/05/19/9 http://viewvc.tigris.org/issues/show_bug.cgi?id=433 http://viewvc.tigris.org/source/browse/%2Acheckout%2A/viewvc/tags/1.1.11/CHANGES http://viewvc.tigris.org/source/browse/viewvc/trunk/lib/cvsdb.py?diff_format=u&view=log#rev2547 http://viewvc.tigris.org/source/browse/viewvc/trunk/lib/viewvc.py?diff_format=u&r1=2547&r2=2546&pathrev=2547 http://www.debian • CWE-399: Resource Management Errors •
CVE-2010-0736
https://notcve.org/view.php?id=CVE-2010-0736
Cross-site scripting (XSS) vulnerability in the view_queryform function in lib/viewvc.py in ViewVC before 1.0.10, and 1.1.x before 1.1.4, allows remote attackers to inject arbitrary web script or HTML via "user-provided input." Vulnerabilidad de secuencias de comandos en sitios cruzados (XSS) en la función view_queryform en lib/viewvc.py en ViewVC anterior a v1.0.10, y v1.1.x anterior a v1.1.4, permite a atacantes remotos inyectar código web o HTML de su elección a través de "user-provided input." • http://viewvc.tigris.org/source/browse/viewvc/trunk/CHANGES?r1=2313&r2=2342&pathrev=HEAD http://viewvc.tigris.org/source/browse/viewvc?view=rev&revision=2326 http://www.openwall.com/lists/oss-security/2010/03/10/8 http://www.openwall.com/lists/oss-security/2010/03/16/14 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2010-0005
https://notcve.org/view.php?id=CVE-2010-0005
query.py in the query interface in ViewVC before 1.1.3 does not reject configurations that specify an unsupported authorizer for a root, which might allow remote attackers to bypass intended access restrictions via a query. query.py en el interfaz de consultas en ViewVC anterior a v 1.1.3., no rechaza las configuraciones que especifican un autorizador no soportado para root, lo que podría pertmitir a atacantes remotos evitar las restricciones de acceso establecidas a través de una consulta. • http://lists.opensuse.org/opensuse-security-announce/2010-01/msg00009.html http://viewvc.tigris.org/source/browse/viewvc/trunk/CHANGES?r1=2242&r2=2313&pathrev=HEAD http://viewvc.tigris.org/source/browse/viewvc?view=rev&revision=2300 http://www.openwall.com/lists/oss-security/2010/01/11/2 http://www.openwall.com/lists/oss-security/2010/01/13/5 https://www.redhat.com/archives/fedora-package-announce/2009-December/msg01421.html https://www.redhat.com/archives/fedora-package-announce/ • CWE-264: Permissions, Privileges, and Access Controls •
CVE-2006-5442
https://notcve.org/view.php?id=CVE-2006-5442
ViewVC 1.0.2 and earlier does not specify a charset in its HTTP headers or HTML documents, which allows remote attackers to conduct cross-site scripting (XSS) attacks that inject arbitrary UTF-7 encoded JavaScript code via a view. ViewVC 1.0.2 y anteriores no especifica un charset en su cabecera HTTP o documentos HTML, lo cual permite a un atacante remoto llevar a cabo un ataque de secuencias de comandos en sitios cruzados que inyectan código JavaScript UTF-7 de su elección a a través de una vista. • http://secunia.com/advisories/22395 http://securityreason.com/securityalert/1755 http://viewvc.tigris.org/servlets/ReadMsg?list=announce&msgNo=5&raw=true http://viewvc.tigris.org/source/browse/viewvc/trunk/CHANGES?rev=HEAD http://www.hardened-php.net/advisory_102006.134.html http://www.securityfocus.com/archive/1/448762/100/0/threaded http://www.securityfocus.com/bid/20543 https://exchange.xforce.ibmcloud.com/vulnerabilities/29576 •