CVSS: 5.5EPSS: 0%CPEs: 2EXPL: 1CVE-2023-22464 – ViewVC XSS vulnerability in revision view changed path "copyfrom" locations
https://notcve.org/view.php?id=CVE-2023-22464
04 Jan 2023 — ViewVC is a browser interface for CVS and Subversion version control repositories. Versions prior to 1.2.3 and 1.1.30 are vulnerable to cross-site scripting. The impact of this vulnerability is mitigated by the need for an attacker to have commit privileges to a Subversion repository exposed by an otherwise trusted ViewVC instance. The attack vector involves files with unsafe names (names that, when embedded into an HTML stream, would cause the browser to run unwanted code), which themselves can be challeng... • https://github.com/viewvc/viewvc/issues/311 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) •
CVSS: 6.4EPSS: 0%CPEs: 2EXPL: 0CVE-2023-22456 – ViewVC XSS vulnerability in revision view changed paths
https://notcve.org/view.php?id=CVE-2023-22456
03 Jan 2023 — ViewVC, a browser interface for CVS and Subversion version control repositories, as a cross-site scripting vulnerability that affects versions prior to 1.2.2 and 1.1.29. The impact of this vulnerability is mitigated by the need for an attacker to have commit privileges to a Subversion repository exposed by an otherwise trusted ViewVC instance. The attack vector involves files with unsafe names (names that, when embedded into an HTML stream, would cause the browser to run unwanted code), which themselves can... • https://github.com/viewvc/viewvc/issues/311 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 3.5EPSS: 0%CPEs: 2EXPL: 1CVE-2020-5283 – XSS vulnerability in CVS show_subdir_lastmod support
https://notcve.org/view.php?id=CVE-2020-5283
03 Apr 2020 — ViewVC before versions 1.1.28 and 1.2.1 has a XSS vulnerability in CVS show_subdir_lastmod support. The impact of this vulnerability is mitigated by the need for an attacker to have commit privileges to a CVS repository exposed by an otherwise trusted ViewVC instance that also has the `show_subdir_lastmod` feature enabled. The attack vector involves files with unsafe names (names that, when embedded into an HTML stream, would cause the browser to run unwanted code), which themselves can be challenging to cr... • https://github.com/viewvc/viewvc/commit/ad0f966e9a997b17d853a6972ea283d4dcd70fa8 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) •
CVSS: 6.1EPSS: 0%CPEs: 4EXPL: 0CVE-2017-5938 – Debian Security Advisory 3784-1
https://notcve.org/view.php?id=CVE-2017-5938
13 Feb 2017 — Cross-site scripting (XSS) vulnerability in the nav_path function in lib/viewvc.py in ViewVC before 1.0.14 and 1.1.x before 1.1.26 allows remote attackers to inject arbitrary web script or HTML via the nav_data name. La vulnerabilidad tipo cross-site-scripting (XSS) en la función nav_path en el archivo lib/viewvc.py en ViewVC anterior a versión 1.0.14 y 1.1.x anterior a versión 1.1.26, permite a los atacantes remotos inyectar scripts web o HTML arbitrarios por medio del nombre nav_data. Thomas Gerbet discov... • http://lists.opensuse.org/opensuse-updates/2017-02/msg00082.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.4EPSS: 1%CPEs: 4EXPL: 0CVE-2012-4533
https://notcve.org/view.php?id=CVE-2012-4533
19 Nov 2012 — Cross-site scripting (XSS) vulnerability in the "extra" details in the DiffSource._get_row function in lib/viewvc.py in ViewVC 1.0.x before 1.0.13 and 1.1.x before 1.1.16 allows remote authenticated users with repository commit access to inject arbitrary web script or HTML via the "function name" line. Una vulnerabilidad de ejecución de comandos en sitios cruzados (XSS) en los detalles "extra" en la función DiffSource._get_row en lib/viewvc.py en ViewVC v1.0.x antes de v1.0.13 y v1.1.x antes de v1.1.16 perm... • http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=691062 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.1EPSS: 1%CPEs: 33EXPL: 0CVE-2012-3356
https://notcve.org/view.php?id=CVE-2012-3356
22 Jul 2012 — The remote SVN views functionality (lib/vclib/svn/svn_ra.py) in ViewVC before 1.1.15 does not properly perform authorization, which allows remote attackers to bypass intended access restrictions via unspecified vectors. La vista SVN de funcionalidad remota (lib/vclib/svn/svn_ra.py) en ViewVC anterior a v1.1.15 no realiza correctamente la autorización, permite a atacantes remotos eludir restricciones de acceso a través destinados vectores no especificados. • http://osvdb.org/83225 • CWE-287: Improper Authentication •
CVSS: 7.5EPSS: 0%CPEs: 33EXPL: 0CVE-2012-3357
https://notcve.org/view.php?id=CVE-2012-3357
22 Jul 2012 — The SVN revision view (lib/vclib/svn/svn_repos.py) in ViewVC before 1.1.15 does not properly handle log messages when a readable path is copied from an unreadable path, which allows remote attackers to obtain sensitive information, related to a "log msg leak." La revisión de la vista SVN (lib/vclib/svn/svn_repos.py) en ViewVC anterior a 1.1.15 no controla correctamente los mensajes de registro cuando se copia un camino legible de una ruta ilegible, lo que permite a atacantes remotos obtener información sens... • http://osvdb.org/83227 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 7.5EPSS: 0%CPEs: 29EXPL: 0CVE-2009-5024
https://notcve.org/view.php?id=CVE-2009-5024
23 May 2011 — ViewVC before 1.1.11 allows remote attackers to bypass the cvsdb row_limit configuration setting, and consequently conduct resource-consumption attacks, via the limit parameter, as demonstrated by a "query revision history" request. ViewVC antes de v1.1.11 permite a atacantes remotos saltar la opción de configuración de cvsdb que limita el número de columnas, y por lo tanto realizar ataques de consumo de recursos, a través del parámetro límite,como se demuestra con una petición de "consulta al historial de ... • http://openwall.com/lists/oss-security/2011/05/19/1 • CWE-399: Resource Management Errors •
CVSS: 6.1EPSS: 0%CPEs: 16EXPL: 0CVE-2010-0132
https://notcve.org/view.php?id=CVE-2010-0132
31 Mar 2010 — Cross-site scripting (XSS) vulnerability in ViewVC 1.1 before 1.1.5 and 1.0 before 1.0.11, when the regular expression search functionality is enabled, allows remote attackers to inject arbitrary web script or HTML via vectors related to "search_re input," a different vulnerability than CVE-2010-0736. Vulnerabilidad de secuencias de comandos en sitios cruzados (XSS) en ViewVC 1.1 en versiones anteriores a la 1.1.5 y 1.0 en versiones anteriores a la 1.0.11, cuando la funcionalidad de búsqueda con expresiones... • http://lists.fedoraproject.org/pipermail/package-announce/2010-April/038420.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 13EXPL: 0CVE-2010-0736
https://notcve.org/view.php?id=CVE-2010-0736
19 Mar 2010 — Cross-site scripting (XSS) vulnerability in the view_queryform function in lib/viewvc.py in ViewVC before 1.0.10, and 1.1.x before 1.1.4, allows remote attackers to inject arbitrary web script or HTML via "user-provided input." Vulnerabilidad de secuencias de comandos en sitios cruzados (XSS) en la función view_queryform en lib/viewvc.py en ViewVC anterior a v1.0.10, y v1.1.x anterior a v1.1.4, permite a atacantes remotos inyectar código web o HTML de su elección a través de "user-provided input." • http://viewvc.tigris.org/source/browse/viewvc/trunk/CHANGES?r1=2313&r2=2342&pathrev=HEAD • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •