RSS   Vulnerabilities for 'Viewvc'   RSS

2020-04-03
 
CVE-2020-5283

CWE-79
 

 
ViewVC before versions 1.1.28 and 1.2.1 has a XSS vulnerability in CVS show_subdir_lastmod support. The impact of this vulnerability is mitigated by the need for an attacker to have commit privileges to a CVS repository exposed by an otherwise trusted ViewVC instance that also has the `show_subdir_lastmod` feature enabled. The attack vector involves files with unsafe names (names that, when embedded into an HTML stream, would cause the browser to run unwanted code), which themselves can be challenging to create. This vulnerability is patched in versions 1.2.1 and 1.1.28.

 
2019-11-07
 
CVE-2007-5743

CWE-732
 

 
viewvc 1.0.3 allows improper access control to files in a repository when using the "forbidden" configuration option.

 
2017-03-15
 
CVE-2017-5938

CWE-79
 

 
Cross-site scripting (XSS) vulnerability in the nav_path function in lib/viewvc.py in ViewVC before 1.0.14 and 1.1.x before 1.1.26 allows remote attackers to inject arbitrary web script or HTML via the nav_data name.

 
2012-11-18
 
CVE-2012-4533

CWE-79
 

 
Cross-site scripting (XSS) vulnerability in the "extra" details in the DiffSource._get_row function in lib/viewvc.py in ViewVC 1.0.x before 1.0.13 and 1.1.x before 1.1.16 allows remote authenticated users with repository commit access to inject arbitrary web script or HTML via the "function name" line.

 
2012-07-22
 
CVE-2012-3357

CWE-200
 

 
The SVN revision view (lib/vclib/svn/svn_repos.py) in ViewVC before 1.1.15 does not properly handle log messages when a readable path is copied from an unreadable path, which allows remote attackers to obtain sensitive information, related to a "log msg leak."

 
 
CVE-2012-3356

CWE-287
 

 
The remote SVN views functionality (lib/vclib/svn/svn_ra.py) in ViewVC before 1.1.15 does not properly perform authorization, which allows remote attackers to bypass intended access restrictions via unspecified vectors.

 
2010-03-19
 
CVE-2010-0736

CWE-79
 

 
Cross-site scripting (XSS) vulnerability in the view_queryform function in lib/viewvc.py in ViewVC before 1.0.10, and 1.1.x before 1.1.4, allows remote attackers to inject arbitrary web script or HTML via "user-provided input."

 
2010-03-31
 
CVE-2010-0132

CWE-79
 

 
Cross-site scripting (XSS) vulnerability in ViewVC 1.1 before 1.1.5 and 1.0 before 1.0.11, when the regular expression search functionality is enabled, allows remote attackers to inject arbitrary web script or HTML via vectors related to "search_re input," a different vulnerability than CVE-2010-0736.

 
2010-01-29
 
CVE-2010-0005

CWE-264
 

 
query.py in the query interface in ViewVC before 1.1.3 does not reject configurations that specify an unsupported authorizer for a root, which might allow remote attackers to bypass intended access restrictions via a query.

 
 
CVE-2010-0004

CWE-200
 

 
ViewVC before 1.1.3 composes the root listing view without using the authorizer for each root, which might allow remote attackers to discover private root names by reading this view.

 


Copyright 2021, cxsecurity.com

 

Back to Top