CVE-2023-22464

ViewVC XSS vulnerability in revision view changed path "copyfrom" locations

Severity Score

5.4

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

ViewVC is a browser interface for CVS and Subversion version control repositories. Versions prior to 1.2.3 and 1.1.30 are vulnerable to cross-site scripting. The impact of this vulnerability is mitigated by the need for an attacker to have commit privileges to a Subversion repository exposed by an otherwise trusted ViewVC instance. The attack vector involves files with unsafe names (names that, when embedded into an HTML stream, would cause the browser to run unwanted code), which themselves can be challenging to create. Users should update to at least version 1.2.3 (if they are using a 1.2.x version of ViewVC) or 1.1.30 (if they are using a 1.1.x version).

ViewVC 1.0.x is no longer supported, so users of that release lineage should implement one of the following workarounds. Users can edit their ViewVC EZT view templates to manually HTML-escape changed path "copyfrom paths" during rendering. Locate in your template set's `revision.ezt` file references to those changed paths, and wrap them with `[format "html"]` and `[end]`. For most users, that means that references to `[changes.copy_path]` will become `[format "html"][changes.copy_path][end]`. (This workaround should be reverted after upgrading to a patched version of ViewVC, else "copyfrom path" names will be doubly escaped.)

ViewVC es una interfaz de navegador para repositorios de control de versiones CVS y Subversion. Las versiones anteriores a 1.2.3 y 1.1.30 son vulnerables a cross-site scripting. El impacto de esta vulnerabilidad se ve mitigado por la necesidad de que un atacante tenga privilegios de confirmación en un repositorio de Subversion expuesto por una instancia de ViewVC que de otro modo sería confiable. El vector de ataque involucra archivos con nombres no seguros (nombres que, cuando se incrustan en una secuencia HTML, harían que el navegador ejecute código no deseado), que a su vez pueden ser difíciles de crear. Los usuarios deben actualizar al menos a la versión 1.2.3 (si usan una versión 1.2.x de ViewVC) o 1.1.30 (si usan una versión 1.1.x). ViewVC 1.0.x ya no es compatible, por lo que los usuarios de ese linaje de versiones deben implementar una de las siguientes soluciones. Los usuarios pueden editar sus plantillas de vista ViewVC EZT para escapar manualmente de la ruta cambiada en HTML "copiar desde rutas" durante el renderizado. Ubique en el archivo `revision.ezt` de su conjunto de plantillas las referencias a esas rutas modificadas y envuélvalas con `[formato "html"]` y `[end]`. Para la mayoría de los usuarios, eso significa que las referencias a `[changes.copy_path]` se convertirán en `[format "html"][changes.copy_path][end]`. (Este workaround debe revertirse después de actualizar a una versión parcheada de ViewVC; de lo contrario, los nombres de "ruta de copia" aparecerán doblemente como escape).

*Credits: N/A

CVSS Scores

NISTv3.1 5.4

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

Required

Scope

Changed

Confidentiality

Low

Integrity

Low

Availability

None

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2022-12-29 CVE Reserved
2023-01-04 CVE Published
2024-07-27 EPSS Updated
2024-08-02 CVE Updated
2024-08-02 First Exploit
---------- Exploited in Wild
---------- KEV Due Date

CWE

CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)

CAPEC

References (4)

URL	Tag	Source
https://github.com/viewvc/viewvc/releases/tag/1.1.30	Release Notes
https://github.com/viewvc/viewvc/releases/tag/1.2.3	Release Notes
https://github.com/viewvc/viewvc/security/advisories/GHSA-jvpj-293q-q53h	Mitigation

URL	Date	SRC
https://github.com/viewvc/viewvc/issues/311	2024-08-02

URL	Date	SRC

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Viewvc Search vendor "Viewvc"		Viewvc Search vendor "Viewvc" for product "Viewvc"				< 1.1.30 Search vendor "Viewvc" for product "Viewvc" and version " < 1.1.30"		-		Affected
Viewvc Search vendor "Viewvc"		Viewvc Search vendor "Viewvc" for product "Viewvc"				>= 1.2.0 < 1.2.3 Search vendor "Viewvc" for product "Viewvc" and version " >= 1.2.0 < 1.2.3"		-		Affected