Page 4 of 18 results (0.005 seconds)

CVSS: 4.3EPSS: 0%CPEs: 5EXPL: 0

ViewVC before 1.0.5 stores sensitive information under the web root with insufficient access control, which allows remote attackers to read files and list folders under the hidden CVSROOT folder. ViewVC before 1.0.5 almacena información sensible bajo la raíz web con un control de acceso insuficiente, lo que permite a atacantes remotos leer archivos y listar carpetas bajo la carpeta oculta CVSROOT. • http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=471380 http://bugs.gentoo.org/show_bug.cgi?id=212288 http://secunia.com/advisories/29176 http://secunia.com/advisories/29460 http://security.gentoo.org/glsa/glsa-200803-29.xml http://viewvc.tigris.org/source/browse/viewvc/trunk/CHANGES?rev=HEAD http://www.securityfocus.com/bid/28055 http://www.vupen.com/english/advisories/2008/0734/references • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •

CVSS: 4.3EPSS: 0%CPEs: 5EXPL: 0

ViewVC before 1.0.5 provides revision metadata without properly checking whether access was intended, which allows remote attackers to obtain sensitive information by reading (1) forbidden pathnames in the revision view, (2) log history that can only be reached by traversing a forbidden object, or (3) forbidden diff view path parameters. ViewVC before 1.0.5 proporciona revisión de metadatos sin comprobar correctamente si el acceso fue intencionado, lo que permite a atacantes remotos obtener información sensible leyendo (1) rutas prohibidas en la vista de revisión, (2)el historial del log que sólo se puede alcanzar saltando un objeto prohibido, o (3)parámetros de ruta de vista diff prohibidos. • http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=471380 http://bugs.gentoo.org/show_bug.cgi?id=212288 http://secunia.com/advisories/29176 http://secunia.com/advisories/29460 http://security.gentoo.org/glsa/glsa-200803-29.xml http://viewvc.tigris.org/source/browse/viewvc/trunk/CHANGES?rev=HEAD http://www.securityfocus.com/bid/28055 http://www.vupen.com/english/advisories/2008/0734/references • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •

CVSS: 6.8EPSS: 1%CPEs: 1EXPL: 0

ViewVC 1.0.2 and earlier does not specify a charset in its HTTP headers or HTML documents, which allows remote attackers to conduct cross-site scripting (XSS) attacks that inject arbitrary UTF-7 encoded JavaScript code via a view. ViewVC 1.0.2 y anteriores no especifica un charset en su cabecera HTTP o documentos HTML, lo cual permite a un atacante remoto llevar a cabo un ataque de secuencias de comandos en sitios cruzados que inyectan código JavaScript UTF-7 de su elección a a través de una vista. • http://secunia.com/advisories/22395 http://securityreason.com/securityalert/1755 http://viewvc.tigris.org/servlets/ReadMsg?list=announce&msgNo=5&raw=true http://viewvc.tigris.org/source/browse/viewvc/trunk/CHANGES?rev=HEAD http://www.hardened-php.net/advisory_102006.134.html http://www.securityfocus.com/archive/1/448762/100/0/threaded http://www.securityfocus.com/bid/20543 https://exchange.xforce.ibmcloud.com/vulnerabilities/29576 •