CVSS: 5.5EPSS: 0%CPEs: 2EXPL: 1CVE-2023-22464 – ViewVC XSS vulnerability in revision view changed path "copyfrom" locations
https://notcve.org/view.php?id=CVE-2023-22464
04 Jan 2023 — ViewVC is a browser interface for CVS and Subversion version control repositories. Versions prior to 1.2.3 and 1.1.30 are vulnerable to cross-site scripting. The impact of this vulnerability is mitigated by the need for an attacker to have commit privileges to a Subversion repository exposed by an otherwise trusted ViewVC instance. The attack vector involves files with unsafe names (names that, when embedded into an HTML stream, would cause the browser to run unwanted code), which themselves can be challeng... • https://github.com/viewvc/viewvc/issues/311 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) •
CVSS: 6.4EPSS: 0%CPEs: 2EXPL: 0CVE-2023-22456 – ViewVC XSS vulnerability in revision view changed paths
https://notcve.org/view.php?id=CVE-2023-22456
03 Jan 2023 — ViewVC, a browser interface for CVS and Subversion version control repositories, as a cross-site scripting vulnerability that affects versions prior to 1.2.2 and 1.1.29. The impact of this vulnerability is mitigated by the need for an attacker to have commit privileges to a Subversion repository exposed by an otherwise trusted ViewVC instance. The attack vector involves files with unsafe names (names that, when embedded into an HTML stream, would cause the browser to run unwanted code), which themselves can... • https://github.com/viewvc/viewvc/issues/311 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 3.5EPSS: 0%CPEs: 2EXPL: 1CVE-2020-5283 – XSS vulnerability in CVS show_subdir_lastmod support
https://notcve.org/view.php?id=CVE-2020-5283
03 Apr 2020 — ViewVC before versions 1.1.28 and 1.2.1 has a XSS vulnerability in CVS show_subdir_lastmod support. The impact of this vulnerability is mitigated by the need for an attacker to have commit privileges to a CVS repository exposed by an otherwise trusted ViewVC instance that also has the `show_subdir_lastmod` feature enabled. The attack vector involves files with unsafe names (names that, when embedded into an HTML stream, would cause the browser to run unwanted code), which themselves can be challenging to cr... • https://github.com/viewvc/viewvc/commit/ad0f966e9a997b17d853a6972ea283d4dcd70fa8 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) •
CVSS: 6.1EPSS: 0%CPEs: 4EXPL: 0CVE-2017-5938 – Debian Security Advisory 3784-1
https://notcve.org/view.php?id=CVE-2017-5938
13 Feb 2017 — Cross-site scripting (XSS) vulnerability in the nav_path function in lib/viewvc.py in ViewVC before 1.0.14 and 1.1.x before 1.1.26 allows remote attackers to inject arbitrary web script or HTML via the nav_data name. La vulnerabilidad tipo cross-site-scripting (XSS) en la función nav_path en el archivo lib/viewvc.py en ViewVC anterior a versión 1.0.14 y 1.1.x anterior a versión 1.1.26, permite a los atacantes remotos inyectar scripts web o HTML arbitrarios por medio del nombre nav_data. Thomas Gerbet discov... • http://lists.opensuse.org/opensuse-updates/2017-02/msg00082.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.1EPSS: 1%CPEs: 33EXPL: 0CVE-2012-3356
https://notcve.org/view.php?id=CVE-2012-3356
22 Jul 2012 — The remote SVN views functionality (lib/vclib/svn/svn_ra.py) in ViewVC before 1.1.15 does not properly perform authorization, which allows remote attackers to bypass intended access restrictions via unspecified vectors. La vista SVN de funcionalidad remota (lib/vclib/svn/svn_ra.py) en ViewVC anterior a v1.1.15 no realiza correctamente la autorización, permite a atacantes remotos eludir restricciones de acceso a través destinados vectores no especificados. • http://osvdb.org/83225 • CWE-287: Improper Authentication •
CVSS: 7.5EPSS: 0%CPEs: 33EXPL: 0CVE-2012-3357
https://notcve.org/view.php?id=CVE-2012-3357
22 Jul 2012 — The SVN revision view (lib/vclib/svn/svn_repos.py) in ViewVC before 1.1.15 does not properly handle log messages when a readable path is copied from an unreadable path, which allows remote attackers to obtain sensitive information, related to a "log msg leak." La revisión de la vista SVN (lib/vclib/svn/svn_repos.py) en ViewVC anterior a 1.1.15 no controla correctamente los mensajes de registro cuando se copia un camino legible de una ruta ilegible, lo que permite a atacantes remotos obtener información sens... • http://osvdb.org/83227 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 7.5EPSS: 0%CPEs: 29EXPL: 0CVE-2009-5024
https://notcve.org/view.php?id=CVE-2009-5024
23 May 2011 — ViewVC before 1.1.11 allows remote attackers to bypass the cvsdb row_limit configuration setting, and consequently conduct resource-consumption attacks, via the limit parameter, as demonstrated by a "query revision history" request. ViewVC antes de v1.1.11 permite a atacantes remotos saltar la opción de configuración de cvsdb que limita el número de columnas, y por lo tanto realizar ataques de consumo de recursos, a través del parámetro límite,como se demuestra con una petición de "consulta al historial de ... • http://openwall.com/lists/oss-security/2011/05/19/1 • CWE-399: Resource Management Errors •
CVSS: 6.1EPSS: 0%CPEs: 13EXPL: 0CVE-2010-0736
https://notcve.org/view.php?id=CVE-2010-0736
19 Mar 2010 — Cross-site scripting (XSS) vulnerability in the view_queryform function in lib/viewvc.py in ViewVC before 1.0.10, and 1.1.x before 1.1.4, allows remote attackers to inject arbitrary web script or HTML via "user-provided input." Vulnerabilidad de secuencias de comandos en sitios cruzados (XSS) en la función view_queryform en lib/viewvc.py en ViewVC anterior a v1.0.10, y v1.1.x anterior a v1.1.4, permite a atacantes remotos inyectar código web o HTML de su elección a través de "user-provided input." • http://viewvc.tigris.org/source/browse/viewvc/trunk/CHANGES?r1=2313&r2=2342&pathrev=HEAD • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.1EPSS: 0%CPEs: 11EXPL: 0CVE-2010-0005
https://notcve.org/view.php?id=CVE-2010-0005
29 Jan 2010 — query.py in the query interface in ViewVC before 1.1.3 does not reject configurations that specify an unsupported authorizer for a root, which might allow remote attackers to bypass intended access restrictions via a query. query.py en el interfaz de consultas en ViewVC anterior a v 1.1.3., no rechaza las configuraciones que especifican un autorizador no soportado para root, lo que podría pertmitir a atacantes remotos evitar las restricciones de acceso establecidas a través de una consulta. • http://lists.opensuse.org/opensuse-security-announce/2010-01/msg00009.html • CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 6.8EPSS: 1%CPEs: 1EXPL: 0CVE-2006-5442
https://notcve.org/view.php?id=CVE-2006-5442
21 Oct 2006 — ViewVC 1.0.2 and earlier does not specify a charset in its HTTP headers or HTML documents, which allows remote attackers to conduct cross-site scripting (XSS) attacks that inject arbitrary UTF-7 encoded JavaScript code via a view. ViewVC 1.0.2 y anteriores no especifica un charset en su cabecera HTTP o documentos HTML, lo cual permite a un atacante remoto llevar a cabo un ataque de secuencias de comandos en sitios cruzados que inyectan código JavaScript UTF-7 de su elección a a través de una vista. • http://secunia.com/advisories/22395 •