All the vulnerabilites related to viewvc - viewvc
cve-2012-3356
Vulnerability from cvelistv5
Published
2012-07-22 16:00
Modified
2024-08-06 20:05
Severity ?
EPSS score ?
Summary
The remote SVN views functionality (lib/vclib/svn/svn_ra.py) in ViewVC before 1.1.15 does not properly perform authorization, which allows remote attackers to bypass intended access restrictions via unspecified vectors.
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T20:05:11.626Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "[oss-security] 20120625 Re: CVE Request: viewvc",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2012/06/25/8"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://viewvc.tigris.org/source/browse/viewvc?view=rev\u0026revision=2760"
},
{
"name": "54197",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/54197"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://viewvc.tigris.org/source/browse/%2Acheckout%2A/viewvc/tags/1.1.15/CHANGES"
},
{
"name": "viewvc-svnra-security-bypass(76614)",
"tags": [
"vdb-entry",
"x_refsource_XF",
"x_transferred"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/76614"
},
{
"name": "83225",
"tags": [
"vdb-entry",
"x_refsource_OSVDB",
"x_transferred"
],
"url": "http://osvdb.org/83225"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://viewvc.tigris.org/source/browse/viewvc?view=rev\u0026revision=2755"
},
{
"name": "openSUSE-SU-2012:0831",
"tags": [
"vendor-advisory",
"x_refsource_SUSE",
"x_transferred"
],
"url": "https://lwn.net/Articles/505096/"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://viewvc.tigris.org/source/browse/viewvc?view=rev\u0026revision=2759"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://viewvc.tigris.org/source/browse/viewvc?view=rev\u0026revision=2757"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-0175"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://viewvc.tigris.org/source/browse/viewvc?view=rev\u0026revision=2756"
},
{
"name": "MDVSA-2013:134",
"tags": [
"vendor-advisory",
"x_refsource_MANDRIVA",
"x_transferred"
],
"url": "http://www.mandriva.com/security/advisories?name=MDVSA-2013:134"
},
{
"name": "DSA-2563",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN",
"x_transferred"
],
"url": "http://www.debian.org/security/2012/dsa-2563"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://viewvc.tigris.org/issues/show_bug.cgi?id=353"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2012-06-22T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "The remote SVN views functionality (lib/vclib/svn/svn_ra.py) in ViewVC before 1.1.15 does not properly perform authorization, which allows remote attackers to bypass intended access restrictions via unspecified vectors."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-08-28T12:57:01",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"name": "[oss-security] 20120625 Re: CVE Request: viewvc",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2012/06/25/8"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://viewvc.tigris.org/source/browse/viewvc?view=rev\u0026revision=2760"
},
{
"name": "54197",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/54197"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://viewvc.tigris.org/source/browse/%2Acheckout%2A/viewvc/tags/1.1.15/CHANGES"
},
{
"name": "viewvc-svnra-security-bypass(76614)",
"tags": [
"vdb-entry",
"x_refsource_XF"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/76614"
},
{
"name": "83225",
"tags": [
"vdb-entry",
"x_refsource_OSVDB"
],
"url": "http://osvdb.org/83225"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://viewvc.tigris.org/source/browse/viewvc?view=rev\u0026revision=2755"
},
{
"name": "openSUSE-SU-2012:0831",
"tags": [
"vendor-advisory",
"x_refsource_SUSE"
],
"url": "https://lwn.net/Articles/505096/"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://viewvc.tigris.org/source/browse/viewvc?view=rev\u0026revision=2759"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://viewvc.tigris.org/source/browse/viewvc?view=rev\u0026revision=2757"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-0175"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://viewvc.tigris.org/source/browse/viewvc?view=rev\u0026revision=2756"
},
{
"name": "MDVSA-2013:134",
"tags": [
"vendor-advisory",
"x_refsource_MANDRIVA"
],
"url": "http://www.mandriva.com/security/advisories?name=MDVSA-2013:134"
},
{
"name": "DSA-2563",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN"
],
"url": "http://www.debian.org/security/2012/dsa-2563"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://viewvc.tigris.org/issues/show_bug.cgi?id=353"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2012-3356",
"datePublished": "2012-07-22T16:00:00",
"dateReserved": "2012-06-14T00:00:00",
"dateUpdated": "2024-08-06T20:05:11.626Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2009-5024
Vulnerability from cvelistv5
Published
2011-05-23 22:00
Modified
2024-08-07 07:24
Severity ?
EPSS score ?
Summary
ViewVC before 1.1.11 allows remote attackers to bypass the cvsdb row_limit configuration setting, and consequently conduct resource-consumption attacks, via the limit parameter, as demonstrated by a "query revision history" request.
References
| ▼ | URL | Tags |
|---|---|---|
| http://www.securityfocus.com/bid/47928 | vdb-entry, x_refsource_BID | |
| http://openwall.com/lists/oss-security/2011/05/19/9 | mailing-list, x_refsource_MLIST | |
| http://viewvc.tigris.org/issues/show_bug.cgi?id=433 | x_refsource_CONFIRM | |
| http://viewvc.tigris.org/source/browse/viewvc/trunk/lib/viewvc.py?diff_format=u&r1=2547&r2=2546&pathrev=2547 | x_refsource_CONFIRM | |
| http://openwall.com/lists/oss-security/2011/05/19/1 | mailing-list, x_refsource_MLIST | |
| http://www.debian.org/security/2012/dsa-2563 | vendor-advisory, x_refsource_DEBIAN | |
| http://viewvc.tigris.org/source/browse/%2Acheckout%2A/viewvc/tags/1.1.11/CHANGES | x_refsource_CONFIRM | |
| http://viewvc.tigris.org/source/browse/viewvc/trunk/lib/cvsdb.py?diff_format=u&view=log#rev2547 | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-07T07:24:53.699Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "47928",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/47928"
},
{
"name": "[oss-security] 20110519 Re: CVE Request: viewvc DoS",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://openwall.com/lists/oss-security/2011/05/19/9"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://viewvc.tigris.org/issues/show_bug.cgi?id=433"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://viewvc.tigris.org/source/browse/viewvc/trunk/lib/viewvc.py?diff_format=u\u0026r1=2547\u0026r2=2546\u0026pathrev=2547"
},
{
"name": "[oss-security] 20110519 CVE Request: viewvc DoS",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://openwall.com/lists/oss-security/2011/05/19/1"
},
{
"name": "DSA-2563",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN",
"x_transferred"
],
"url": "http://www.debian.org/security/2012/dsa-2563"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://viewvc.tigris.org/source/browse/%2Acheckout%2A/viewvc/tags/1.1.11/CHANGES"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://viewvc.tigris.org/source/browse/viewvc/trunk/lib/cvsdb.py?diff_format=u\u0026view=log#rev2547"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2009-11-18T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "ViewVC before 1.1.11 allows remote attackers to bypass the cvsdb row_limit configuration setting, and consequently conduct resource-consumption attacks, via the limit parameter, as demonstrated by a \"query revision history\" request."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2012-11-20T10:00:00",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"name": "47928",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/47928"
},
{
"name": "[oss-security] 20110519 Re: CVE Request: viewvc DoS",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://openwall.com/lists/oss-security/2011/05/19/9"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://viewvc.tigris.org/issues/show_bug.cgi?id=433"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://viewvc.tigris.org/source/browse/viewvc/trunk/lib/viewvc.py?diff_format=u\u0026r1=2547\u0026r2=2546\u0026pathrev=2547"
},
{
"name": "[oss-security] 20110519 CVE Request: viewvc DoS",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://openwall.com/lists/oss-security/2011/05/19/1"
},
{
"name": "DSA-2563",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN"
],
"url": "http://www.debian.org/security/2012/dsa-2563"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://viewvc.tigris.org/source/browse/%2Acheckout%2A/viewvc/tags/1.1.11/CHANGES"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://viewvc.tigris.org/source/browse/viewvc/trunk/lib/cvsdb.py?diff_format=u\u0026view=log#rev2547"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "secalert@redhat.com",
"ID": "CVE-2009-5024",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "ViewVC before 1.1.11 allows remote attackers to bypass the cvsdb row_limit configuration setting, and consequently conduct resource-consumption attacks, via the limit parameter, as demonstrated by a \"query revision history\" request."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "47928",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/47928"
},
{
"name": "[oss-security] 20110519 Re: CVE Request: viewvc DoS",
"refsource": "MLIST",
"url": "http://openwall.com/lists/oss-security/2011/05/19/9"
},
{
"name": "http://viewvc.tigris.org/issues/show_bug.cgi?id=433",
"refsource": "CONFIRM",
"url": "http://viewvc.tigris.org/issues/show_bug.cgi?id=433"
},
{
"name": "http://viewvc.tigris.org/source/browse/viewvc/trunk/lib/viewvc.py?diff_format=u\u0026r1=2547\u0026r2=2546\u0026pathrev=2547",
"refsource": "CONFIRM",
"url": "http://viewvc.tigris.org/source/browse/viewvc/trunk/lib/viewvc.py?diff_format=u\u0026r1=2547\u0026r2=2546\u0026pathrev=2547"
},
{
"name": "[oss-security] 20110519 CVE Request: viewvc DoS",
"refsource": "MLIST",
"url": "http://openwall.com/lists/oss-security/2011/05/19/1"
},
{
"name": "DSA-2563",
"refsource": "DEBIAN",
"url": "http://www.debian.org/security/2012/dsa-2563"
},
{
"name": "http://viewvc.tigris.org/source/browse/*checkout*/viewvc/tags/1.1.11/CHANGES",
"refsource": "CONFIRM",
"url": "http://viewvc.tigris.org/source/browse/*checkout*/viewvc/tags/1.1.11/CHANGES"
},
{
"name": "http://viewvc.tigris.org/source/browse/viewvc/trunk/lib/cvsdb.py?diff_format=u\u0026view=log#rev2547",
"refsource": "CONFIRM",
"url": "http://viewvc.tigris.org/source/browse/viewvc/trunk/lib/cvsdb.py?diff_format=u\u0026view=log#rev2547"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2009-5024",
"datePublished": "2011-05-23T22:00:00",
"dateReserved": "2010-12-09T00:00:00",
"dateUpdated": "2024-08-07T07:24:53.699Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2010-0005
Vulnerability from cvelistv5
Published
2010-01-29 18:00
Modified
2024-09-16 17:38
Severity ?
EPSS score ?
Summary
query.py in the query interface in ViewVC before 1.1.3 does not reject configurations that specify an unsupported authorizer for a root, which might allow remote attackers to bypass intended access restrictions via a query.
References
| ▼ | URL | Tags |
|---|---|---|
| http://viewvc.tigris.org/source/browse/viewvc/trunk/CHANGES?r1=2242&r2=2313&pathrev=HEAD | x_refsource_CONFIRM | |
| https://www.redhat.com/archives/fedora-package-announce/2009-December/msg01421.html | vendor-advisory, x_refsource_FEDORA | |
| http://www.openwall.com/lists/oss-security/2010/01/13/5 | mailing-list, x_refsource_MLIST | |
| https://www.redhat.com/archives/fedora-package-announce/2009-December/msg01464.html | vendor-advisory, x_refsource_FEDORA | |
| http://www.openwall.com/lists/oss-security/2010/01/11/2 | mailing-list, x_refsource_MLIST | |
| http://lists.opensuse.org/opensuse-security-announce/2010-01/msg00009.html | vendor-advisory, x_refsource_SUSE | |
| http://viewvc.tigris.org/source/browse/viewvc?view=rev&revision=2300 | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-07T00:30:47.032Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://viewvc.tigris.org/source/browse/viewvc/trunk/CHANGES?r1=2242\u0026r2=2313\u0026pathrev=HEAD"
},
{
"name": "FEDORA-2009-13610",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "https://www.redhat.com/archives/fedora-package-announce/2009-December/msg01421.html"
},
{
"name": "[oss-security] 20100113 Re: CVE Request: viewvc",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2010/01/13/5"
},
{
"name": "FEDORA-2009-13634",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "https://www.redhat.com/archives/fedora-package-announce/2009-December/msg01464.html"
},
{
"name": "[oss-security] 20100111 CVE Request: viewvc",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2010/01/11/2"
},
{
"name": "SUSE-SA:2010:008",
"tags": [
"vendor-advisory",
"x_refsource_SUSE",
"x_transferred"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2010-01/msg00009.html"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://viewvc.tigris.org/source/browse/viewvc?view=rev\u0026revision=2300"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "query.py in the query interface in ViewVC before 1.1.3 does not reject configurations that specify an unsupported authorizer for a root, which might allow remote attackers to bypass intended access restrictions via a query."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2010-01-29T18:00:00Z",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://viewvc.tigris.org/source/browse/viewvc/trunk/CHANGES?r1=2242\u0026r2=2313\u0026pathrev=HEAD"
},
{
"name": "FEDORA-2009-13610",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "https://www.redhat.com/archives/fedora-package-announce/2009-December/msg01421.html"
},
{
"name": "[oss-security] 20100113 Re: CVE Request: viewvc",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2010/01/13/5"
},
{
"name": "FEDORA-2009-13634",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "https://www.redhat.com/archives/fedora-package-announce/2009-December/msg01464.html"
},
{
"name": "[oss-security] 20100111 CVE Request: viewvc",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2010/01/11/2"
},
{
"name": "SUSE-SA:2010:008",
"tags": [
"vendor-advisory",
"x_refsource_SUSE"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2010-01/msg00009.html"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://viewvc.tigris.org/source/browse/viewvc?view=rev\u0026revision=2300"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "secalert@redhat.com",
"ID": "CVE-2010-0005",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "query.py in the query interface in ViewVC before 1.1.3 does not reject configurations that specify an unsupported authorizer for a root, which might allow remote attackers to bypass intended access restrictions via a query."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://viewvc.tigris.org/source/browse/viewvc/trunk/CHANGES?r1=2242\u0026r2=2313\u0026pathrev=HEAD",
"refsource": "CONFIRM",
"url": "http://viewvc.tigris.org/source/browse/viewvc/trunk/CHANGES?r1=2242\u0026r2=2313\u0026pathrev=HEAD"
},
{
"name": "FEDORA-2009-13610",
"refsource": "FEDORA",
"url": "https://www.redhat.com/archives/fedora-package-announce/2009-December/msg01421.html"
},
{
"name": "[oss-security] 20100113 Re: CVE Request: viewvc",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2010/01/13/5"
},
{
"name": "FEDORA-2009-13634",
"refsource": "FEDORA",
"url": "https://www.redhat.com/archives/fedora-package-announce/2009-December/msg01464.html"
},
{
"name": "[oss-security] 20100111 CVE Request: viewvc",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2010/01/11/2"
},
{
"name": "SUSE-SA:2010:008",
"refsource": "SUSE",
"url": "http://lists.opensuse.org/opensuse-security-announce/2010-01/msg00009.html"
},
{
"name": "http://viewvc.tigris.org/source/browse/viewvc?view=rev\u0026revision=2300",
"refsource": "CONFIRM",
"url": "http://viewvc.tigris.org/source/browse/viewvc?view=rev\u0026revision=2300"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2010-0005",
"datePublished": "2010-01-29T18:00:00Z",
"dateReserved": "2009-12-14T00:00:00Z",
"dateUpdated": "2024-09-16T17:38:01.371Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2010-0736
Vulnerability from cvelistv5
Published
2010-03-19 19:00
Modified
2024-09-17 00:26
Severity ?
EPSS score ?
Summary
Cross-site scripting (XSS) vulnerability in the view_queryform function in lib/viewvc.py in ViewVC before 1.0.10, and 1.1.x before 1.1.4, allows remote attackers to inject arbitrary web script or HTML via "user-provided input."
References
| ▼ | URL | Tags |
|---|---|---|
| http://viewvc.tigris.org/source/browse/viewvc?view=rev&revision=2326 | x_refsource_CONFIRM | |
| http://www.openwall.com/lists/oss-security/2010/03/16/14 | mailing-list, x_refsource_MLIST | |
| http://www.openwall.com/lists/oss-security/2010/03/10/8 | mailing-list, x_refsource_MLIST | |
| http://viewvc.tigris.org/source/browse/viewvc/trunk/CHANGES?r1=2313&r2=2342&pathrev=HEAD | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-07T00:59:38.935Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://viewvc.tigris.org/source/browse/viewvc?view=rev\u0026revision=2326"
},
{
"name": "[oss-security] 20100316 Re: CVE Request: ViewVC 1.1.4 / 1.0.10 -- XSS via user-provided query form input",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2010/03/16/14"
},
{
"name": "[oss-security] 20100310 CVE Request: ViewVC 1.1.4 / 1.0.10 -- XSS via user-provided query form input",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2010/03/10/8"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://viewvc.tigris.org/source/browse/viewvc/trunk/CHANGES?r1=2313\u0026r2=2342\u0026pathrev=HEAD"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting (XSS) vulnerability in the view_queryform function in lib/viewvc.py in ViewVC before 1.0.10, and 1.1.x before 1.1.4, allows remote attackers to inject arbitrary web script or HTML via \"user-provided input.\""
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2010-03-19T19:00:00Z",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://viewvc.tigris.org/source/browse/viewvc?view=rev\u0026revision=2326"
},
{
"name": "[oss-security] 20100316 Re: CVE Request: ViewVC 1.1.4 / 1.0.10 -- XSS via user-provided query form input",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2010/03/16/14"
},
{
"name": "[oss-security] 20100310 CVE Request: ViewVC 1.1.4 / 1.0.10 -- XSS via user-provided query form input",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2010/03/10/8"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://viewvc.tigris.org/source/browse/viewvc/trunk/CHANGES?r1=2313\u0026r2=2342\u0026pathrev=HEAD"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "secalert@redhat.com",
"ID": "CVE-2010-0736",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Cross-site scripting (XSS) vulnerability in the view_queryform function in lib/viewvc.py in ViewVC before 1.0.10, and 1.1.x before 1.1.4, allows remote attackers to inject arbitrary web script or HTML via \"user-provided input.\""
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://viewvc.tigris.org/source/browse/viewvc?view=rev\u0026revision=2326",
"refsource": "CONFIRM",
"url": "http://viewvc.tigris.org/source/browse/viewvc?view=rev\u0026revision=2326"
},
{
"name": "[oss-security] 20100316 Re: CVE Request: ViewVC 1.1.4 / 1.0.10 -- XSS via user-provided query form input",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2010/03/16/14"
},
{
"name": "[oss-security] 20100310 CVE Request: ViewVC 1.1.4 / 1.0.10 -- XSS via user-provided query form input",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2010/03/10/8"
},
{
"name": "http://viewvc.tigris.org/source/browse/viewvc/trunk/CHANGES?r1=2313\u0026r2=2342\u0026pathrev=HEAD",
"refsource": "CONFIRM",
"url": "http://viewvc.tigris.org/source/browse/viewvc/trunk/CHANGES?r1=2313\u0026r2=2342\u0026pathrev=HEAD"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2010-0736",
"datePublished": "2010-03-19T19:00:00Z",
"dateReserved": "2010-02-26T00:00:00Z",
"dateUpdated": "2024-09-17T00:26:26.757Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2020-5283
Vulnerability from cvelistv5
Published
2020-04-03 00:10
Modified
2024-08-04 08:22
Severity ?
EPSS score ?
Summary
ViewVC before versions 1.1.28 and 1.2.1 has a XSS vulnerability in CVS show_subdir_lastmod support. The impact of this vulnerability is mitigated by the need for an attacker to have commit privileges to a CVS repository exposed by an otherwise trusted ViewVC instance that also has the `show_subdir_lastmod` feature enabled. The attack vector involves files with unsafe names (names that, when embedded into an HTML stream, would cause the browser to run unwanted code), which themselves can be challenging to create. This vulnerability is patched in versions 1.2.1 and 1.1.28.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/viewvc/viewvc/security/advisories/GHSA-xpxf-fvqv-7mfg | x_refsource_CONFIRM | |
| https://github.com/viewvc/viewvc/issues/211 | x_refsource_MISC | |
| https://github.com/viewvc/viewvc/commit/ad0f966e9a997b17d853a6972ea283d4dcd70fa8 | x_refsource_MISC | |
| https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2Q2STF2MKT24HXZ3YZIU7CN6F6QM67I5/ | vendor-advisory, x_refsource_FEDORA |
Impacted products
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T08:22:09.095Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/viewvc/viewvc/security/advisories/GHSA-xpxf-fvqv-7mfg"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/viewvc/viewvc/issues/211"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/viewvc/viewvc/commit/ad0f966e9a997b17d853a6972ea283d4dcd70fa8"
},
{
"name": "FEDORA-2020-c952520959",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2Q2STF2MKT24HXZ3YZIU7CN6F6QM67I5/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "viewvc",
"vendor": "viewvc",
"versions": [
{
"status": "affected",
"version": "\u003c 1.1.28"
},
{
"status": "affected",
"version": "\u003e= 1.2.0, \u003c 1.2.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "ViewVC before versions 1.1.28 and 1.2.1 has a XSS vulnerability in CVS show_subdir_lastmod support. The impact of this vulnerability is mitigated by the need for an attacker to have commit privileges to a CVS repository exposed by an otherwise trusted ViewVC instance that also has the `show_subdir_lastmod` feature enabled. The attack vector involves files with unsafe names (names that, when embedded into an HTML stream, would cause the browser to run unwanted code), which themselves can be challenging to create. This vulnerability is patched in versions 1.2.1 and 1.1.28."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.1,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-80",
"description": "CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-05-15T05:06:08",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/viewvc/viewvc/security/advisories/GHSA-xpxf-fvqv-7mfg"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/viewvc/viewvc/issues/211"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/viewvc/viewvc/commit/ad0f966e9a997b17d853a6972ea283d4dcd70fa8"
},
{
"name": "FEDORA-2020-c952520959",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2Q2STF2MKT24HXZ3YZIU7CN6F6QM67I5/"
}
],
"source": {
"advisory": "GHSA-xpxf-fvqv-7mfg",
"discovery": "UNKNOWN"
},
"title": "XSS vulnerability in CVS show_subdir_lastmod support",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2020-5283",
"STATE": "PUBLIC",
"TITLE": "XSS vulnerability in CVS show_subdir_lastmod support"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "viewvc",
"version": {
"version_data": [
{
"version_value": "\u003c 1.1.28"
},
{
"version_value": "\u003e= 1.2.0, \u003c 1.2.1"
}
]
}
}
]
},
"vendor_name": "viewvc"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "ViewVC before versions 1.1.28 and 1.2.1 has a XSS vulnerability in CVS show_subdir_lastmod support. The impact of this vulnerability is mitigated by the need for an attacker to have commit privileges to a CVS repository exposed by an otherwise trusted ViewVC instance that also has the `show_subdir_lastmod` feature enabled. The attack vector involves files with unsafe names (names that, when embedded into an HTML stream, would cause the browser to run unwanted code), which themselves can be challenging to create. This vulnerability is patched in versions 1.2.1 and 1.1.28."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.1,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/viewvc/viewvc/security/advisories/GHSA-xpxf-fvqv-7mfg",
"refsource": "CONFIRM",
"url": "https://github.com/viewvc/viewvc/security/advisories/GHSA-xpxf-fvqv-7mfg"
},
{
"name": "https://github.com/viewvc/viewvc/issues/211",
"refsource": "MISC",
"url": "https://github.com/viewvc/viewvc/issues/211"
},
{
"name": "https://github.com/viewvc/viewvc/commit/ad0f966e9a997b17d853a6972ea283d4dcd70fa8",
"refsource": "MISC",
"url": "https://github.com/viewvc/viewvc/commit/ad0f966e9a997b17d853a6972ea283d4dcd70fa8"
},
{
"name": "FEDORA-2020-c952520959",
"refsource": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2Q2STF2MKT24HXZ3YZIU7CN6F6QM67I5/"
}
]
},
"source": {
"advisory": "GHSA-xpxf-fvqv-7mfg",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2020-5283",
"datePublished": "2020-04-03T00:10:13",
"dateReserved": "2020-01-02T00:00:00",
"dateUpdated": "2024-08-04T08:22:09.095Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2006-5442
Vulnerability from cvelistv5
Published
2006-10-21 00:00
Modified
2024-08-07 19:48
Severity ?
EPSS score ?
Summary
ViewVC 1.0.2 and earlier does not specify a charset in its HTTP headers or HTML documents, which allows remote attackers to conduct cross-site scripting (XSS) attacks that inject arbitrary UTF-7 encoded JavaScript code via a view.
References
| ▼ | URL | Tags |
|---|---|---|
| http://www.securityfocus.com/archive/1/448762/100/0/threaded | mailing-list, x_refsource_BUGTRAQ | |
| http://viewvc.tigris.org/servlets/ReadMsg?list=announce&msgNo=5&raw=true | mailing-list, x_refsource_MLIST | |
| http://www.hardened-php.net/advisory_102006.134.html | x_refsource_MISC | |
| http://securityreason.com/securityalert/1755 | third-party-advisory, x_refsource_SREASON | |
| http://secunia.com/advisories/22395 | third-party-advisory, x_refsource_SECUNIA | |
| https://exchange.xforce.ibmcloud.com/vulnerabilities/29576 | vdb-entry, x_refsource_XF | |
| http://viewvc.tigris.org/source/browse/viewvc/trunk/CHANGES?rev=HEAD | x_refsource_CONFIRM | |
| http://www.securityfocus.com/bid/20543 | vdb-entry, x_refsource_BID |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-07T19:48:30.264Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "20061015 Advisory 10/2006: ViewVC Undefined Charset UTF-7 XSS Vulnerability",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ",
"x_transferred"
],
"url": "http://www.securityfocus.com/archive/1/448762/100/0/threaded"
},
{
"name": "[announce] 20061013 ViewVC 1.0.3 released [SECURITY FIXES]",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://viewvc.tigris.org/servlets/ReadMsg?list=announce\u0026msgNo=5\u0026raw=true"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://www.hardened-php.net/advisory_102006.134.html"
},
{
"name": "1755",
"tags": [
"third-party-advisory",
"x_refsource_SREASON",
"x_transferred"
],
"url": "http://securityreason.com/securityalert/1755"
},
{
"name": "22395",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/22395"
},
{
"name": "viewvc-utf7-xss(29576)",
"tags": [
"vdb-entry",
"x_refsource_XF",
"x_transferred"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/29576"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://viewvc.tigris.org/source/browse/viewvc/trunk/CHANGES?rev=HEAD"
},
{
"name": "20543",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/20543"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2006-10-15T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "ViewVC 1.0.2 and earlier does not specify a charset in its HTTP headers or HTML documents, which allows remote attackers to conduct cross-site scripting (XSS) attacks that inject arbitrary UTF-7 encoded JavaScript code via a view."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-10-17T20:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"name": "20061015 Advisory 10/2006: ViewVC Undefined Charset UTF-7 XSS Vulnerability",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ"
],
"url": "http://www.securityfocus.com/archive/1/448762/100/0/threaded"
},
{
"name": "[announce] 20061013 ViewVC 1.0.3 released [SECURITY FIXES]",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://viewvc.tigris.org/servlets/ReadMsg?list=announce\u0026msgNo=5\u0026raw=true"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://www.hardened-php.net/advisory_102006.134.html"
},
{
"name": "1755",
"tags": [
"third-party-advisory",
"x_refsource_SREASON"
],
"url": "http://securityreason.com/securityalert/1755"
},
{
"name": "22395",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/22395"
},
{
"name": "viewvc-utf7-xss(29576)",
"tags": [
"vdb-entry",
"x_refsource_XF"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/29576"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://viewvc.tigris.org/source/browse/viewvc/trunk/CHANGES?rev=HEAD"
},
{
"name": "20543",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/20543"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2006-5442",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "ViewVC 1.0.2 and earlier does not specify a charset in its HTTP headers or HTML documents, which allows remote attackers to conduct cross-site scripting (XSS) attacks that inject arbitrary UTF-7 encoded JavaScript code via a view."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "20061015 Advisory 10/2006: ViewVC Undefined Charset UTF-7 XSS Vulnerability",
"refsource": "BUGTRAQ",
"url": "http://www.securityfocus.com/archive/1/448762/100/0/threaded"
},
{
"name": "[announce] 20061013 ViewVC 1.0.3 released [SECURITY FIXES]",
"refsource": "MLIST",
"url": "http://viewvc.tigris.org/servlets/ReadMsg?list=announce\u0026msgNo=5\u0026raw=true"
},
{
"name": "http://www.hardened-php.net/advisory_102006.134.html",
"refsource": "MISC",
"url": "http://www.hardened-php.net/advisory_102006.134.html"
},
{
"name": "1755",
"refsource": "SREASON",
"url": "http://securityreason.com/securityalert/1755"
},
{
"name": "22395",
"refsource": "SECUNIA",
"url": "http://secunia.com/advisories/22395"
},
{
"name": "viewvc-utf7-xss(29576)",
"refsource": "XF",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/29576"
},
{
"name": "http://viewvc.tigris.org/source/browse/viewvc/trunk/CHANGES?rev=HEAD",
"refsource": "CONFIRM",
"url": "http://viewvc.tigris.org/source/browse/viewvc/trunk/CHANGES?rev=HEAD"
},
{
"name": "20543",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/20543"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2006-5442",
"datePublished": "2006-10-21T00:00:00",
"dateReserved": "2006-10-20T00:00:00",
"dateUpdated": "2024-08-07T19:48:30.264Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2007-5743
Vulnerability from cvelistv5
Published
2019-11-07 21:55
Modified
2024-08-07 15:39
Severity ?
EPSS score ?
Summary
viewvc 1.0.3 allows improper access control to files in a repository when using the "forbidden" configuration option.
References
| ▼ | URL | Tags |
|---|---|---|
| https://security-tracker.debian.org/tracker/CVE-2007-5743 | x_refsource_MISC | |
| https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=416696 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-07T15:39:13.620Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://security-tracker.debian.org/tracker/CVE-2007-5743"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=416696"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2007-03-29T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "viewvc 1.0.3 allows improper access control to files in a repository when using the \"forbidden\" configuration option."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-11-07T21:55:32",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://security-tracker.debian.org/tracker/CVE-2007-5743"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=416696"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2007-5743",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "viewvc 1.0.3 allows improper access control to files in a repository when using the \"forbidden\" configuration option."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://security-tracker.debian.org/tracker/CVE-2007-5743",
"refsource": "MISC",
"url": "https://security-tracker.debian.org/tracker/CVE-2007-5743"
},
{
"name": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=416696",
"refsource": "MISC",
"url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=416696"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2007-5743",
"datePublished": "2019-11-07T21:55:32",
"dateReserved": "2007-10-31T00:00:00",
"dateUpdated": "2024-08-07T15:39:13.620Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2012-4533
Vulnerability from cvelistv5
Published
2012-11-19 00:00
Modified
2024-08-06 20:42
Severity ?
EPSS score ?
Summary
Cross-site scripting (XSS) vulnerability in the "extra" details in the DiffSource._get_row function in lib/viewvc.py in ViewVC 1.0.x before 1.0.13 and 1.1.x before 1.1.16 allows remote authenticated users with repository commit access to inject arbitrary web script or HTML via the "function name" line.
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T20:42:53.692Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://viewvc.tigris.org/issues/show_bug.cgi?id=515"
},
{
"name": "86566",
"tags": [
"vdb-entry",
"x_refsource_OSVDB",
"x_transferred"
],
"url": "http://osvdb.org/86566"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://viewvc.tigris.org/source/browse/viewvc?view=rev\u0026revision=2794"
},
{
"name": "51041",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/51041"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://viewvc.tigris.org/source/browse/viewvc?view=rev\u0026revision=2792"
},
{
"name": "56161",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/56161"
},
{
"name": "viewvc-viewvc-checkins-xss(79561)",
"tags": [
"vdb-entry",
"x_refsource_XF",
"x_transferred"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/79561"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://viewvc.tigris.org/source/browse/%2Acheckout%2A/viewvc/tags/1.0.13/CHANGES"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=691062"
},
{
"name": "[oss-security] 20121020 Re: CVE Request: viewvc 1.1.5 lib/viewvc.py XSS",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2012/10/21/3"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-0313"
},
{
"name": "MDVSA-2013:134",
"tags": [
"vendor-advisory",
"x_refsource_MANDRIVA",
"x_transferred"
],
"url": "http://www.mandriva.com/security/advisories?name=MDVSA-2013:134"
},
{
"name": "DSA-2563",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN",
"x_transferred"
],
"url": "http://www.debian.org/security/2012/dsa-2563"
},
{
"name": "[oss-security] 20121020 CVE Request: viewvc 1.1.5 lib/viewvc.py XSS",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2012/10/21/2"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://viewvc.tigris.org/source/browse/%2Acheckout%2A/viewvc/tags/1.1.16/CHANGES"
},
{
"name": "51072",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/51072"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2012-10-20T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting (XSS) vulnerability in the \"extra\" details in the DiffSource._get_row function in lib/viewvc.py in ViewVC 1.0.x before 1.0.13 and 1.1.x before 1.1.16 allows remote authenticated users with repository commit access to inject arbitrary web script or HTML via the \"function name\" line."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-08-28T12:57:01",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://viewvc.tigris.org/issues/show_bug.cgi?id=515"
},
{
"name": "86566",
"tags": [
"vdb-entry",
"x_refsource_OSVDB"
],
"url": "http://osvdb.org/86566"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://viewvc.tigris.org/source/browse/viewvc?view=rev\u0026revision=2794"
},
{
"name": "51041",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/51041"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://viewvc.tigris.org/source/browse/viewvc?view=rev\u0026revision=2792"
},
{
"name": "56161",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/56161"
},
{
"name": "viewvc-viewvc-checkins-xss(79561)",
"tags": [
"vdb-entry",
"x_refsource_XF"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/79561"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://viewvc.tigris.org/source/browse/%2Acheckout%2A/viewvc/tags/1.0.13/CHANGES"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=691062"
},
{
"name": "[oss-security] 20121020 Re: CVE Request: viewvc 1.1.5 lib/viewvc.py XSS",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2012/10/21/3"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-0313"
},
{
"name": "MDVSA-2013:134",
"tags": [
"vendor-advisory",
"x_refsource_MANDRIVA"
],
"url": "http://www.mandriva.com/security/advisories?name=MDVSA-2013:134"
},
{
"name": "DSA-2563",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN"
],
"url": "http://www.debian.org/security/2012/dsa-2563"
},
{
"name": "[oss-security] 20121020 CVE Request: viewvc 1.1.5 lib/viewvc.py XSS",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2012/10/21/2"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://viewvc.tigris.org/source/browse/%2Acheckout%2A/viewvc/tags/1.1.16/CHANGES"
},
{
"name": "51072",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/51072"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2012-4533",
"datePublished": "2012-11-19T00:00:00",
"dateReserved": "2012-08-21T00:00:00",
"dateUpdated": "2024-08-06T20:42:53.692Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2008-1291
Vulnerability from cvelistv5
Published
2008-03-24 17:00
Modified
2024-08-07 08:17
Severity ?
EPSS score ?
Summary
ViewVC before 1.0.5 stores sensitive information under the web root with insufficient access control, which allows remote attackers to read files and list folders under the hidden CVSROOT folder.
References
| ▼ | URL | Tags |
|---|---|---|
| http://security.gentoo.org/glsa/glsa-200803-29.xml | vendor-advisory, x_refsource_GENTOO | |
| http://secunia.com/advisories/29460 | third-party-advisory, x_refsource_SECUNIA | |
| http://secunia.com/advisories/29176 | third-party-advisory, x_refsource_SECUNIA | |
| http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=471380 | x_refsource_CONFIRM | |
| http://www.vupen.com/english/advisories/2008/0734/references | vdb-entry, x_refsource_VUPEN | |
| http://www.securityfocus.com/bid/28055 | vdb-entry, x_refsource_BID | |
| http://bugs.gentoo.org/show_bug.cgi?id=212288 | x_refsource_CONFIRM | |
| http://viewvc.tigris.org/source/browse/viewvc/trunk/CHANGES?rev=HEAD | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-07T08:17:33.494Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "GLSA-200803-29",
"tags": [
"vendor-advisory",
"x_refsource_GENTOO",
"x_transferred"
],
"url": "http://security.gentoo.org/glsa/glsa-200803-29.xml"
},
{
"name": "29460",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/29460"
},
{
"name": "29176",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/29176"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=471380"
},
{
"name": "ADV-2008-0734",
"tags": [
"vdb-entry",
"x_refsource_VUPEN",
"x_transferred"
],
"url": "http://www.vupen.com/english/advisories/2008/0734/references"
},
{
"name": "28055",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/28055"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://bugs.gentoo.org/show_bug.cgi?id=212288"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://viewvc.tigris.org/source/browse/viewvc/trunk/CHANGES?rev=HEAD"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2008-03-18T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "ViewVC before 1.0.5 stores sensitive information under the web root with insufficient access control, which allows remote attackers to read files and list folders under the hidden CVSROOT folder."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2009-08-20T09:00:00",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"name": "GLSA-200803-29",
"tags": [
"vendor-advisory",
"x_refsource_GENTOO"
],
"url": "http://security.gentoo.org/glsa/glsa-200803-29.xml"
},
{
"name": "29460",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/29460"
},
{
"name": "29176",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/29176"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=471380"
},
{
"name": "ADV-2008-0734",
"tags": [
"vdb-entry",
"x_refsource_VUPEN"
],
"url": "http://www.vupen.com/english/advisories/2008/0734/references"
},
{
"name": "28055",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/28055"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://bugs.gentoo.org/show_bug.cgi?id=212288"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://viewvc.tigris.org/source/browse/viewvc/trunk/CHANGES?rev=HEAD"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2008-1291",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "ViewVC before 1.0.5 stores sensitive information under the web root with insufficient access control, which allows remote attackers to read files and list folders under the hidden CVSROOT folder."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "GLSA-200803-29",
"refsource": "GENTOO",
"url": "http://security.gentoo.org/glsa/glsa-200803-29.xml"
},
{
"name": "29460",
"refsource": "SECUNIA",
"url": "http://secunia.com/advisories/29460"
},
{
"name": "29176",
"refsource": "SECUNIA",
"url": "http://secunia.com/advisories/29176"
},
{
"name": "http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=471380",
"refsource": "CONFIRM",
"url": "http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=471380"
},
{
"name": "ADV-2008-0734",
"refsource": "VUPEN",
"url": "http://www.vupen.com/english/advisories/2008/0734/references"
},
{
"name": "28055",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/28055"
},
{
"name": "http://bugs.gentoo.org/show_bug.cgi?id=212288",
"refsource": "CONFIRM",
"url": "http://bugs.gentoo.org/show_bug.cgi?id=212288"
},
{
"name": "http://viewvc.tigris.org/source/browse/viewvc/trunk/CHANGES?rev=HEAD",
"refsource": "CONFIRM",
"url": "http://viewvc.tigris.org/source/browse/viewvc/trunk/CHANGES?rev=HEAD"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2008-1291",
"datePublished": "2008-03-24T17:00:00",
"dateReserved": "2008-03-12T00:00:00",
"dateUpdated": "2024-08-07T08:17:33.494Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2023-22464
Vulnerability from cvelistv5
Published
2023-01-04 15:12
Modified
2024-08-02 10:13
Severity ?
EPSS score ?
Summary
ViewVC is a browser interface for CVS and Subversion version control repositories. Versions prior to 1.2.3 and 1.1.30 are vulnerable to cross-site scripting. The impact of this vulnerability is mitigated by the need for an attacker to have commit privileges to a Subversion repository exposed by an otherwise trusted ViewVC instance. The attack vector involves files with unsafe names (names that, when embedded into an HTML stream, would cause the browser to run unwanted code), which themselves can be challenging to create. Users should update to at least version 1.2.3 (if they are using a 1.2.x version of ViewVC) or 1.1.30 (if they are using a 1.1.x version).
ViewVC 1.0.x is no longer supported, so users of that release lineage should implement one of the following workarounds. Users can edit their ViewVC EZT view templates to manually HTML-escape changed path "copyfrom paths" during rendering. Locate in your template set's `revision.ezt` file references to those changed paths, and wrap them with `[format "html"]` and `[end]`. For most users, that means that references to `[changes.copy_path]` will become `[format "html"][changes.copy_path][end]`. (This workaround should be reverted after upgrading to a patched version of ViewVC, else "copyfrom path" names will be doubly escaped.)
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/viewvc/viewvc/security/advisories/GHSA-jvpj-293q-q53h | x_refsource_CONFIRM | |
| https://github.com/viewvc/viewvc/issues/311 | x_refsource_MISC | |
| https://github.com/viewvc/viewvc/releases/tag/1.1.30 | x_refsource_MISC | |
| https://github.com/viewvc/viewvc/releases/tag/1.2.3 | x_refsource_MISC |
Impacted products
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T10:13:48.329Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/viewvc/viewvc/security/advisories/GHSA-jvpj-293q-q53h",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/viewvc/viewvc/security/advisories/GHSA-jvpj-293q-q53h"
},
{
"name": "https://github.com/viewvc/viewvc/issues/311",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/viewvc/viewvc/issues/311"
},
{
"name": "https://github.com/viewvc/viewvc/releases/tag/1.1.30",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/viewvc/viewvc/releases/tag/1.1.30"
},
{
"name": "https://github.com/viewvc/viewvc/releases/tag/1.2.3",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/viewvc/viewvc/releases/tag/1.2.3"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "viewvc",
"vendor": "viewvc",
"versions": [
{
"status": "affected",
"version": "\u003c 1.1.30"
},
{
"status": "affected",
"version": "\u003e= 1.2.0, \u003c 1.2.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "ViewVC is a browser interface for CVS and Subversion version control repositories. Versions prior to 1.2.3 and 1.1.30 are vulnerable to cross-site scripting. The impact of this vulnerability is mitigated by the need for an attacker to have commit privileges to a Subversion repository exposed by an otherwise trusted ViewVC instance. The attack vector involves files with unsafe names (names that, when embedded into an HTML stream, would cause the browser to run unwanted code), which themselves can be challenging to create. Users should update to at least version 1.2.3 (if they are using a 1.2.x version of ViewVC) or 1.1.30 (if they are using a 1.1.x version).\n\nViewVC 1.0.x is no longer supported, so users of that release lineage should implement one of the following workarounds. Users can edit their ViewVC EZT view templates to manually HTML-escape changed path \"copyfrom paths\" during rendering. Locate in your template set\u0027s `revision.ezt` file references to those changed paths, and wrap them with `[format \"html\"]` and `[end]`. For most users, that means that references to `[changes.copy_path]` will become `[format \"html\"][changes.copy_path][end]`. (This workaround should be reverted after upgrading to a patched version of ViewVC, else \"copyfrom path\" names will be doubly escaped.)\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-80",
"description": "CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-01-04T15:12:50.980Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/viewvc/viewvc/security/advisories/GHSA-jvpj-293q-q53h",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/viewvc/viewvc/security/advisories/GHSA-jvpj-293q-q53h"
},
{
"name": "https://github.com/viewvc/viewvc/issues/311",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/viewvc/viewvc/issues/311"
},
{
"name": "https://github.com/viewvc/viewvc/releases/tag/1.1.30",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/viewvc/viewvc/releases/tag/1.1.30"
},
{
"name": "https://github.com/viewvc/viewvc/releases/tag/1.2.3",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/viewvc/viewvc/releases/tag/1.2.3"
}
],
"source": {
"advisory": "GHSA-jvpj-293q-q53h",
"discovery": "UNKNOWN"
},
"title": "ViewVC XSS vulnerability in revision view changed path \"copyfrom\" locations"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-22464",
"datePublished": "2023-01-04T15:12:50.980Z",
"dateReserved": "2022-12-29T03:00:40.879Z",
"dateUpdated": "2024-08-02T10:13:48.329Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2010-0004
Vulnerability from cvelistv5
Published
2010-01-29 18:00
Modified
2024-09-16 23:51
Severity ?
EPSS score ?
Summary
ViewVC before 1.1.3 composes the root listing view without using the authorizer for each root, which might allow remote attackers to discover private root names by reading this view.
References
| ▼ | URL | Tags |
|---|---|---|
| http://viewvc.tigris.org/source/browse/viewvc/trunk/CHANGES?r1=2242&r2=2313&pathrev=HEAD | x_refsource_CONFIRM | |
| https://www.redhat.com/archives/fedora-package-announce/2009-December/msg01421.html | vendor-advisory, x_refsource_FEDORA | |
| http://www.openwall.com/lists/oss-security/2010/01/13/5 | mailing-list, x_refsource_MLIST | |
| https://www.redhat.com/archives/fedora-package-announce/2009-December/msg01464.html | vendor-advisory, x_refsource_FEDORA | |
| http://www.openwall.com/lists/oss-security/2010/01/11/2 | mailing-list, x_refsource_MLIST | |
| http://viewvc.tigris.org/source/browse/%2Acheckout%2A/viewvc/trunk/docs/release-notes/1.1.0.html?revision=2222 | x_refsource_CONFIRM | |
| http://www.openwall.com/lists/oss-security/2010/01/14/4 | mailing-list, x_refsource_MLIST | |
| http://lists.opensuse.org/opensuse-security-announce/2010-01/msg00009.html | vendor-advisory, x_refsource_SUSE | |
| http://viewvc.tigris.org/source/browse/viewvc?view=rev&revision=2300 | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-07T00:30:47.107Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://viewvc.tigris.org/source/browse/viewvc/trunk/CHANGES?r1=2242\u0026r2=2313\u0026pathrev=HEAD"
},
{
"name": "FEDORA-2009-13610",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "https://www.redhat.com/archives/fedora-package-announce/2009-December/msg01421.html"
},
{
"name": "[oss-security] 20100113 Re: CVE Request: viewvc",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2010/01/13/5"
},
{
"name": "FEDORA-2009-13634",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "https://www.redhat.com/archives/fedora-package-announce/2009-December/msg01464.html"
},
{
"name": "[oss-security] 20100111 CVE Request: viewvc",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2010/01/11/2"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://viewvc.tigris.org/source/browse/%2Acheckout%2A/viewvc/trunk/docs/release-notes/1.1.0.html?revision=2222"
},
{
"name": "[oss-security] 20100114 Re: CVE Request: viewvc",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2010/01/14/4"
},
{
"name": "SUSE-SA:2010:008",
"tags": [
"vendor-advisory",
"x_refsource_SUSE",
"x_transferred"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2010-01/msg00009.html"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://viewvc.tigris.org/source/browse/viewvc?view=rev\u0026revision=2300"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "ViewVC before 1.1.3 composes the root listing view without using the authorizer for each root, which might allow remote attackers to discover private root names by reading this view."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2010-01-29T18:00:00Z",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://viewvc.tigris.org/source/browse/viewvc/trunk/CHANGES?r1=2242\u0026r2=2313\u0026pathrev=HEAD"
},
{
"name": "FEDORA-2009-13610",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "https://www.redhat.com/archives/fedora-package-announce/2009-December/msg01421.html"
},
{
"name": "[oss-security] 20100113 Re: CVE Request: viewvc",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2010/01/13/5"
},
{
"name": "FEDORA-2009-13634",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "https://www.redhat.com/archives/fedora-package-announce/2009-December/msg01464.html"
},
{
"name": "[oss-security] 20100111 CVE Request: viewvc",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2010/01/11/2"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://viewvc.tigris.org/source/browse/%2Acheckout%2A/viewvc/trunk/docs/release-notes/1.1.0.html?revision=2222"
},
{
"name": "[oss-security] 20100114 Re: CVE Request: viewvc",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2010/01/14/4"
},
{
"name": "SUSE-SA:2010:008",
"tags": [
"vendor-advisory",
"x_refsource_SUSE"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2010-01/msg00009.html"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://viewvc.tigris.org/source/browse/viewvc?view=rev\u0026revision=2300"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "secalert@redhat.com",
"ID": "CVE-2010-0004",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "ViewVC before 1.1.3 composes the root listing view without using the authorizer for each root, which might allow remote attackers to discover private root names by reading this view."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://viewvc.tigris.org/source/browse/viewvc/trunk/CHANGES?r1=2242\u0026r2=2313\u0026pathrev=HEAD",
"refsource": "CONFIRM",
"url": "http://viewvc.tigris.org/source/browse/viewvc/trunk/CHANGES?r1=2242\u0026r2=2313\u0026pathrev=HEAD"
},
{
"name": "FEDORA-2009-13610",
"refsource": "FEDORA",
"url": "https://www.redhat.com/archives/fedora-package-announce/2009-December/msg01421.html"
},
{
"name": "[oss-security] 20100113 Re: CVE Request: viewvc",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2010/01/13/5"
},
{
"name": "FEDORA-2009-13634",
"refsource": "FEDORA",
"url": "https://www.redhat.com/archives/fedora-package-announce/2009-December/msg01464.html"
},
{
"name": "[oss-security] 20100111 CVE Request: viewvc",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2010/01/11/2"
},
{
"name": "http://viewvc.tigris.org/source/browse/*checkout*/viewvc/trunk/docs/release-notes/1.1.0.html?revision=2222",
"refsource": "CONFIRM",
"url": "http://viewvc.tigris.org/source/browse/*checkout*/viewvc/trunk/docs/release-notes/1.1.0.html?revision=2222"
},
{
"name": "[oss-security] 20100114 Re: CVE Request: viewvc",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2010/01/14/4"
},
{
"name": "SUSE-SA:2010:008",
"refsource": "SUSE",
"url": "http://lists.opensuse.org/opensuse-security-announce/2010-01/msg00009.html"
},
{
"name": "http://viewvc.tigris.org/source/browse/viewvc?view=rev\u0026revision=2300",
"refsource": "CONFIRM",
"url": "http://viewvc.tigris.org/source/browse/viewvc?view=rev\u0026revision=2300"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2010-0004",
"datePublished": "2010-01-29T18:00:00Z",
"dateReserved": "2009-12-14T00:00:00Z",
"dateUpdated": "2024-09-16T23:51:34.351Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2023-22456
Vulnerability from cvelistv5
Published
2023-01-03 18:29
Modified
2024-08-02 10:13
Severity ?
EPSS score ?
Summary
ViewVC, a browser interface for CVS and Subversion version control repositories, as a cross-site scripting vulnerability that affects versions prior to 1.2.2 and 1.1.29. The impact of this vulnerability is mitigated by the need for an attacker to have commit privileges to a Subversion repository exposed by an otherwise trusted ViewVC instance. The attack vector involves files with unsafe names (names that, when embedded into an HTML stream, would cause the browser to run unwanted code), which themselves can be challenging to create. Users should update to at least version 1.2.2 (if they are using a 1.2.x version of ViewVC) or 1.1.29 (if they are using a 1.1.x version).
ViewVC 1.0.x is no longer supported, so users of that release lineage should implement a workaround. Users can edit their ViewVC EZT view templates to manually HTML-escape changed paths during rendering. Locate in your template set's `revision.ezt` file references to those changed paths, and wrap them with `[format "html"]` and `[end]`. For most users, that means that references to `[changes.path]` will become `[format "html"][changes.path][end]`. (This workaround should be reverted after upgrading to a patched version of ViewVC, else changed path names will be doubly escaped.)
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/viewvc/viewvc/security/advisories/GHSA-j4mx-f97j-gc5g | x_refsource_CONFIRM | |
| https://github.com/viewvc/viewvc/issues/311 | x_refsource_MISC | |
| https://github.com/viewvc/viewvc/releases/tag/1.1.29 | x_refsource_MISC | |
| https://github.com/viewvc/viewvc/releases/tag/1.2.2 | x_refsource_MISC |
Impacted products
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T10:13:48.320Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/viewvc/viewvc/security/advisories/GHSA-j4mx-f97j-gc5g",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/viewvc/viewvc/security/advisories/GHSA-j4mx-f97j-gc5g"
},
{
"name": "https://github.com/viewvc/viewvc/issues/311",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/viewvc/viewvc/issues/311"
},
{
"name": "https://github.com/viewvc/viewvc/releases/tag/1.1.29",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/viewvc/viewvc/releases/tag/1.1.29"
},
{
"name": "https://github.com/viewvc/viewvc/releases/tag/1.2.2",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/viewvc/viewvc/releases/tag/1.2.2"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "viewvc",
"vendor": "viewvc",
"versions": [
{
"status": "affected",
"version": "\u003c 1.1.29"
},
{
"status": "affected",
"version": "\u003e= 1.2.0, \u003c 1.2.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "ViewVC, a browser interface for CVS and Subversion version control repositories, as a cross-site scripting vulnerability that affects versions prior to 1.2.2 and 1.1.29. The impact of this vulnerability is mitigated by the need for an attacker to have commit privileges to a Subversion repository exposed by an otherwise trusted ViewVC instance. The attack vector involves files with unsafe names (names that, when embedded into an HTML stream, would cause the browser to run unwanted code), which themselves can be challenging to create. Users should update to at least version 1.2.2 (if they are using a 1.2.x version of ViewVC) or 1.1.29 (if they are using a 1.1.x version).\n\nViewVC 1.0.x is no longer supported, so users of that release lineage should implement a workaround. Users can edit their ViewVC EZT view templates to manually HTML-escape changed paths during rendering. Locate in your template set\u0027s `revision.ezt` file references to those changed paths, and wrap them with `[format \"html\"]` and `[end]`. For most users, that means that references to `[changes.path]` will become `[format \"html\"][changes.path][end]`. (This workaround should be reverted after upgrading to a patched version of ViewVC, else changed path names will be doubly escaped.)"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-01-03T18:29:51.262Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/viewvc/viewvc/security/advisories/GHSA-j4mx-f97j-gc5g",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/viewvc/viewvc/security/advisories/GHSA-j4mx-f97j-gc5g"
},
{
"name": "https://github.com/viewvc/viewvc/issues/311",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/viewvc/viewvc/issues/311"
},
{
"name": "https://github.com/viewvc/viewvc/releases/tag/1.1.29",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/viewvc/viewvc/releases/tag/1.1.29"
},
{
"name": "https://github.com/viewvc/viewvc/releases/tag/1.2.2",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/viewvc/viewvc/releases/tag/1.2.2"
}
],
"source": {
"advisory": "GHSA-j4mx-f97j-gc5g",
"discovery": "UNKNOWN"
},
"title": "ViewVC XSS vulnerability in revision view changed paths"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-22456",
"datePublished": "2023-01-03T18:29:51.262Z",
"dateReserved": "2022-12-29T03:00:40.878Z",
"dateUpdated": "2024-08-02T10:13:48.320Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2008-4325
Vulnerability from cvelistv5
Published
2008-09-30 16:00
Modified
2024-09-17 01:06
Severity ?
EPSS score ?
Summary
lib/viewvc.py in ViewVC 1.0.5 uses the content-type parameter in the HTTP request for the Content-Type header in the HTTP response, which allows remote attackers to cause content to be misinterpreted by the browser via a content-type parameter that is inconsistent with the requested object. NOTE: this issue might not be a vulnerability, since it requires attacker access to the repository that is being viewed.
References
| ▼ | URL | Tags |
|---|---|---|
| http://viewvc.tigris.org/source/browse/viewvc?rev=1978&view=rev | x_refsource_CONFIRM | |
| http://viewvc.tigris.org/source/browse/viewvc/trunk/lib/viewvc.py?rev=2011&r1=1968&r2=1978 | x_refsource_CONFIRM | |
| http://www.openwall.com/lists/oss-security/2008/09/19/4 | mailing-list, x_refsource_MLIST | |
| http://viewvc.tigris.org/issues/show_bug.cgi?id=354 | x_refsource_CONFIRM | |
| http://www.openwall.com/lists/oss-security/2008/09/20/1 | mailing-list, x_refsource_MLIST | |
| https://www.redhat.com/archives/fedora-package-announce/2008-September/msg01142.html | vendor-advisory, x_refsource_FEDORA | |
| https://www.redhat.com/archives/fedora-package-announce/2008-September/msg01101.html | vendor-advisory, x_refsource_FEDORA |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-07T10:08:35.056Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://viewvc.tigris.org/source/browse/viewvc?rev=1978\u0026view=rev"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://viewvc.tigris.org/source/browse/viewvc/trunk/lib/viewvc.py?rev=2011\u0026r1=1968\u0026r2=1978"
},
{
"name": "[oss-security] 20080919 viewvc security flaw?",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2008/09/19/4"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://viewvc.tigris.org/issues/show_bug.cgi?id=354"
},
{
"name": "[oss-security] 20080920 Re: viewvc security flaw?",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2008/09/20/1"
},
{
"name": "FEDORA-2008-8270",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "https://www.redhat.com/archives/fedora-package-announce/2008-September/msg01142.html"
},
{
"name": "FEDORA-2008-8252",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "https://www.redhat.com/archives/fedora-package-announce/2008-September/msg01101.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "lib/viewvc.py in ViewVC 1.0.5 uses the content-type parameter in the HTTP request for the Content-Type header in the HTTP response, which allows remote attackers to cause content to be misinterpreted by the browser via a content-type parameter that is inconsistent with the requested object. NOTE: this issue might not be a vulnerability, since it requires attacker access to the repository that is being viewed."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2008-09-30T16:00:00Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://viewvc.tigris.org/source/browse/viewvc?rev=1978\u0026view=rev"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://viewvc.tigris.org/source/browse/viewvc/trunk/lib/viewvc.py?rev=2011\u0026r1=1968\u0026r2=1978"
},
{
"name": "[oss-security] 20080919 viewvc security flaw?",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2008/09/19/4"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://viewvc.tigris.org/issues/show_bug.cgi?id=354"
},
{
"name": "[oss-security] 20080920 Re: viewvc security flaw?",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2008/09/20/1"
},
{
"name": "FEDORA-2008-8270",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "https://www.redhat.com/archives/fedora-package-announce/2008-September/msg01142.html"
},
{
"name": "FEDORA-2008-8252",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "https://www.redhat.com/archives/fedora-package-announce/2008-September/msg01101.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2008-4325",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "lib/viewvc.py in ViewVC 1.0.5 uses the content-type parameter in the HTTP request for the Content-Type header in the HTTP response, which allows remote attackers to cause content to be misinterpreted by the browser via a content-type parameter that is inconsistent with the requested object. NOTE: this issue might not be a vulnerability, since it requires attacker access to the repository that is being viewed."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://viewvc.tigris.org/source/browse/viewvc?rev=1978\u0026view=rev",
"refsource": "CONFIRM",
"url": "http://viewvc.tigris.org/source/browse/viewvc?rev=1978\u0026view=rev"
},
{
"name": "http://viewvc.tigris.org/source/browse/viewvc/trunk/lib/viewvc.py?rev=2011\u0026r1=1968\u0026r2=1978",
"refsource": "CONFIRM",
"url": "http://viewvc.tigris.org/source/browse/viewvc/trunk/lib/viewvc.py?rev=2011\u0026r1=1968\u0026r2=1978"
},
{
"name": "[oss-security] 20080919 viewvc security flaw?",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2008/09/19/4"
},
{
"name": "http://viewvc.tigris.org/issues/show_bug.cgi?id=354",
"refsource": "CONFIRM",
"url": "http://viewvc.tigris.org/issues/show_bug.cgi?id=354"
},
{
"name": "[oss-security] 20080920 Re: viewvc security flaw?",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2008/09/20/1"
},
{
"name": "FEDORA-2008-8270",
"refsource": "FEDORA",
"url": "https://www.redhat.com/archives/fedora-package-announce/2008-September/msg01142.html"
},
{
"name": "FEDORA-2008-8252",
"refsource": "FEDORA",
"url": "https://www.redhat.com/archives/fedora-package-announce/2008-September/msg01101.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2008-4325",
"datePublished": "2008-09-30T16:00:00Z",
"dateReserved": "2008-09-30T00:00:00Z",
"dateUpdated": "2024-09-17T01:06:23.595Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2010-0132
Vulnerability from cvelistv5
Published
2010-03-31 17:35
Modified
2024-08-07 00:37
Severity ?
EPSS score ?
Summary
Cross-site scripting (XSS) vulnerability in ViewVC 1.1 before 1.1.5 and 1.0 before 1.0.11, when the regular expression search functionality is enabled, allows remote attackers to inject arbitrary web script or HTML via vectors related to "search_re input," a different vulnerability than CVE-2010-0736.
References
| ▼ | URL | Tags |
|---|---|---|
| http://www.securityfocus.com/archive/1/510408/100/0/threaded | mailing-list, x_refsource_BUGTRAQ | |
| http://viewvc.tigris.org/source/browse/viewvc/trunk/CHANGES?r1=2342&r2=2359&pathrev=HEAD | x_refsource_CONFIRM | |
| http://lists.fedoraproject.org/pipermail/package-announce/2010-April/038456.html | vendor-advisory, x_refsource_FEDORA | |
| http://lists.fedoraproject.org/pipermail/package-announce/2010-April/038420.html | vendor-advisory, x_refsource_FEDORA | |
| http://lists.opensuse.org/opensuse-security-announce/2010-04/msg00002.html | vendor-advisory, x_refsource_SUSE | |
| http://secunia.com/secunia_research/2010-26/ | x_refsource_MISC | |
| http://lists.fedoraproject.org/pipermail/package-announce/2010-April/038925.html | vendor-advisory, x_refsource_FEDORA | |
| http://secunia.com/advisories/38918 | third-party-advisory, x_refsource_SECUNIA | |
| http://www.vupen.com/english/advisories/2010/0844 | vdb-entry, x_refsource_VUPEN | |
| http://www.vupen.com/english/advisories/2010/0743 | vdb-entry, x_refsource_VUPEN |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-07T00:37:53.920Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "20100330 Secunia Research: ViewVC Regular Expression Search Cross-Site Scripting",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ",
"x_transferred"
],
"url": "http://www.securityfocus.com/archive/1/510408/100/0/threaded"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://viewvc.tigris.org/source/browse/viewvc/trunk/CHANGES?r1=2342\u0026r2=2359\u0026pathrev=HEAD"
},
{
"name": "FEDORA-2010-5524",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2010-April/038456.html"
},
{
"name": "FEDORA-2010-5507",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2010-April/038420.html"
},
{
"name": "SUSE-SR:2010:009",
"tags": [
"vendor-advisory",
"x_refsource_SUSE",
"x_transferred"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2010-04/msg00002.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://secunia.com/secunia_research/2010-26/"
},
{
"name": "FEDORA-2010-5805",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2010-April/038925.html"
},
{
"name": "38918",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/38918"
},
{
"name": "ADV-2010-0844",
"tags": [
"vdb-entry",
"x_refsource_VUPEN",
"x_transferred"
],
"url": "http://www.vupen.com/english/advisories/2010/0844"
},
{
"name": "ADV-2010-0743",
"tags": [
"vdb-entry",
"x_refsource_VUPEN",
"x_transferred"
],
"url": "http://www.vupen.com/english/advisories/2010/0743"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2010-03-30T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting (XSS) vulnerability in ViewVC 1.1 before 1.1.5 and 1.0 before 1.0.11, when the regular expression search functionality is enabled, allows remote attackers to inject arbitrary web script or HTML via vectors related to \"search_re input,\" a different vulnerability than CVE-2010-0736."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-10-10T18:57:01",
"orgId": "44d08088-2bea-4760-83a6-1e9be26b15ab",
"shortName": "flexera"
},
"references": [
{
"name": "20100330 Secunia Research: ViewVC Regular Expression Search Cross-Site Scripting",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ"
],
"url": "http://www.securityfocus.com/archive/1/510408/100/0/threaded"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://viewvc.tigris.org/source/browse/viewvc/trunk/CHANGES?r1=2342\u0026r2=2359\u0026pathrev=HEAD"
},
{
"name": "FEDORA-2010-5524",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2010-April/038456.html"
},
{
"name": "FEDORA-2010-5507",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2010-April/038420.html"
},
{
"name": "SUSE-SR:2010:009",
"tags": [
"vendor-advisory",
"x_refsource_SUSE"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2010-04/msg00002.html"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://secunia.com/secunia_research/2010-26/"
},
{
"name": "FEDORA-2010-5805",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2010-April/038925.html"
},
{
"name": "38918",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/38918"
},
{
"name": "ADV-2010-0844",
"tags": [
"vdb-entry",
"x_refsource_VUPEN"
],
"url": "http://www.vupen.com/english/advisories/2010/0844"
},
{
"name": "ADV-2010-0743",
"tags": [
"vdb-entry",
"x_refsource_VUPEN"
],
"url": "http://www.vupen.com/english/advisories/2010/0743"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "PSIRT-CNA@flexerasoftware.com",
"ID": "CVE-2010-0132",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Cross-site scripting (XSS) vulnerability in ViewVC 1.1 before 1.1.5 and 1.0 before 1.0.11, when the regular expression search functionality is enabled, allows remote attackers to inject arbitrary web script or HTML via vectors related to \"search_re input,\" a different vulnerability than CVE-2010-0736."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "20100330 Secunia Research: ViewVC Regular Expression Search Cross-Site Scripting",
"refsource": "BUGTRAQ",
"url": "http://www.securityfocus.com/archive/1/510408/100/0/threaded"
},
{
"name": "http://viewvc.tigris.org/source/browse/viewvc/trunk/CHANGES?r1=2342\u0026r2=2359\u0026pathrev=HEAD",
"refsource": "CONFIRM",
"url": "http://viewvc.tigris.org/source/browse/viewvc/trunk/CHANGES?r1=2342\u0026r2=2359\u0026pathrev=HEAD"
},
{
"name": "FEDORA-2010-5524",
"refsource": "FEDORA",
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2010-April/038456.html"
},
{
"name": "FEDORA-2010-5507",
"refsource": "FEDORA",
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2010-April/038420.html"
},
{
"name": "SUSE-SR:2010:009",
"refsource": "SUSE",
"url": "http://lists.opensuse.org/opensuse-security-announce/2010-04/msg00002.html"
},
{
"name": "http://secunia.com/secunia_research/2010-26/",
"refsource": "MISC",
"url": "http://secunia.com/secunia_research/2010-26/"
},
{
"name": "FEDORA-2010-5805",
"refsource": "FEDORA",
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2010-April/038925.html"
},
{
"name": "38918",
"refsource": "SECUNIA",
"url": "http://secunia.com/advisories/38918"
},
{
"name": "ADV-2010-0844",
"refsource": "VUPEN",
"url": "http://www.vupen.com/english/advisories/2010/0844"
},
{
"name": "ADV-2010-0743",
"refsource": "VUPEN",
"url": "http://www.vupen.com/english/advisories/2010/0743"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "44d08088-2bea-4760-83a6-1e9be26b15ab",
"assignerShortName": "flexera",
"cveId": "CVE-2010-0132",
"datePublished": "2010-03-31T17:35:00",
"dateReserved": "2010-01-04T00:00:00",
"dateUpdated": "2024-08-07T00:37:53.920Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2017-5938
Vulnerability from cvelistv5
Published
2017-03-15 14:00
Modified
2024-08-05 15:18
Severity ?
EPSS score ?
Summary
Cross-site scripting (XSS) vulnerability in the nav_path function in lib/viewvc.py in ViewVC before 1.0.14 and 1.1.x before 1.1.26 allows remote attackers to inject arbitrary web script or HTML via the nav_data name.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/viewvc/viewvc/releases/tag/1.0.14 | x_refsource_CONFIRM | |
| https://github.com/viewvc/viewvc/issues/137 | x_refsource_CONFIRM | |
| http://www.securityfocus.com/bid/96185 | vdb-entry, x_refsource_BID | |
| https://github.com/viewvc/viewvc/commit/9dcfc7daa4c940992920d3b2fbd317da20e44aad | x_refsource_CONFIRM | |
| https://github.com/viewvc/viewvc/releases/tag/1.1.26 | x_refsource_CONFIRM | |
| http://www.openwall.com/lists/oss-security/2017/02/09/6 | mailing-list, x_refsource_MLIST | |
| http://www.debian.org/security/2017/dsa-3784 | vendor-advisory, x_refsource_DEBIAN | |
| http://lists.opensuse.org/opensuse-updates/2017-02/msg00082.html | vendor-advisory, x_refsource_SUSE |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T15:18:49.281Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/viewvc/viewvc/releases/tag/1.0.14"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/viewvc/viewvc/issues/137"
},
{
"name": "96185",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/96185"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/viewvc/viewvc/commit/9dcfc7daa4c940992920d3b2fbd317da20e44aad"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/viewvc/viewvc/releases/tag/1.1.26"
},
{
"name": "[oss-security] 20170208 Re: CVE request: XSS in viewvc",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2017/02/09/6"
},
{
"name": "DSA-3784",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN",
"x_transferred"
],
"url": "http://www.debian.org/security/2017/dsa-3784"
},
{
"name": "openSUSE-SU-2017:0501",
"tags": [
"vendor-advisory",
"x_refsource_SUSE",
"x_transferred"
],
"url": "http://lists.opensuse.org/opensuse-updates/2017-02/msg00082.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2017-01-24T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting (XSS) vulnerability in the nav_path function in lib/viewvc.py in ViewVC before 1.0.14 and 1.1.x before 1.1.26 allows remote attackers to inject arbitrary web script or HTML via the nav_data name."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-05-07T20:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/viewvc/viewvc/releases/tag/1.0.14"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/viewvc/viewvc/issues/137"
},
{
"name": "96185",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/96185"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/viewvc/viewvc/commit/9dcfc7daa4c940992920d3b2fbd317da20e44aad"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/viewvc/viewvc/releases/tag/1.1.26"
},
{
"name": "[oss-security] 20170208 Re: CVE request: XSS in viewvc",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2017/02/09/6"
},
{
"name": "DSA-3784",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN"
],
"url": "http://www.debian.org/security/2017/dsa-3784"
},
{
"name": "openSUSE-SU-2017:0501",
"tags": [
"vendor-advisory",
"x_refsource_SUSE"
],
"url": "http://lists.opensuse.org/opensuse-updates/2017-02/msg00082.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2017-5938",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Cross-site scripting (XSS) vulnerability in the nav_path function in lib/viewvc.py in ViewVC before 1.0.14 and 1.1.x before 1.1.26 allows remote attackers to inject arbitrary web script or HTML via the nav_data name."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/viewvc/viewvc/releases/tag/1.0.14",
"refsource": "CONFIRM",
"url": "https://github.com/viewvc/viewvc/releases/tag/1.0.14"
},
{
"name": "https://github.com/viewvc/viewvc/issues/137",
"refsource": "CONFIRM",
"url": "https://github.com/viewvc/viewvc/issues/137"
},
{
"name": "96185",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/96185"
},
{
"name": "https://github.com/viewvc/viewvc/commit/9dcfc7daa4c940992920d3b2fbd317da20e44aad",
"refsource": "CONFIRM",
"url": "https://github.com/viewvc/viewvc/commit/9dcfc7daa4c940992920d3b2fbd317da20e44aad"
},
{
"name": "https://github.com/viewvc/viewvc/releases/tag/1.1.26",
"refsource": "CONFIRM",
"url": "https://github.com/viewvc/viewvc/releases/tag/1.1.26"
},
{
"name": "[oss-security] 20170208 Re: CVE request: XSS in viewvc",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2017/02/09/6"
},
{
"name": "DSA-3784",
"refsource": "DEBIAN",
"url": "http://www.debian.org/security/2017/dsa-3784"
},
{
"name": "openSUSE-SU-2017:0501",
"refsource": "SUSE",
"url": "http://lists.opensuse.org/opensuse-updates/2017-02/msg00082.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2017-5938",
"datePublished": "2017-03-15T14:00:00",
"dateReserved": "2017-02-08T00:00:00",
"dateUpdated": "2024-08-05T15:18:49.281Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2009-3619
Vulnerability from cvelistv5
Published
2009-11-10 02:00
Modified
2024-08-07 06:31
Severity ?
EPSS score ?
Summary
Unspecified vulnerability in ViewVC 1.0 before 1.0.9 and 1.1 before 1.1.2 has unknown impact and remote attack vectors related to "printing illegal parameter names and values."
References
| ▼ | URL | Tags |
|---|---|---|
| http://www.vupen.com/english/advisories/2009/2257 | vdb-entry, x_refsource_VUPEN | |
| http://secunia.com/advisories/36292 | third-party-advisory, x_refsource_SECUNIA | |
| https://www.redhat.com/archives/fedora-package-announce/2009-August/msg00557.html | vendor-advisory, x_refsource_FEDORA | |
| https://www.redhat.com/archives/fedora-package-announce/2009-August/msg00566.html | vendor-advisory, x_refsource_FEDORA | |
| http://www.openwall.com/lists/oss-security/2009/10/16/10 | mailing-list, x_refsource_MLIST | |
| http://secunia.com/advisories/36311 | third-party-advisory, x_refsource_SECUNIA | |
| http://viewvc.tigris.org/source/browse/%2Acheckout%2A/viewvc/tags/1.1.2/CHANGES?revision=2235&pathrev=HEAD | x_refsource_CONFIRM | |
| http://lists.opensuse.org/opensuse-security-announce/2009-10/msg00004.html | vendor-advisory, x_refsource_SUSE |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-07T06:31:10.699Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "ADV-2009-2257",
"tags": [
"vdb-entry",
"x_refsource_VUPEN",
"x_transferred"
],
"url": "http://www.vupen.com/english/advisories/2009/2257"
},
{
"name": "36292",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/36292"
},
{
"name": "FEDORA-2009-8501",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "https://www.redhat.com/archives/fedora-package-announce/2009-August/msg00557.html"
},
{
"name": "FEDORA-2009-8507",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "https://www.redhat.com/archives/fedora-package-announce/2009-August/msg00566.html"
},
{
"name": "[oss-security] 20091016 Re: viewvc: CVE request: XSS and illegal characters while printing name-value pairs",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2009/10/16/10"
},
{
"name": "36311",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/36311"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://viewvc.tigris.org/source/browse/%2Acheckout%2A/viewvc/tags/1.1.2/CHANGES?revision=2235\u0026pathrev=HEAD"
},
{
"name": "SUSE-SR:2009:017",
"tags": [
"vendor-advisory",
"x_refsource_SUSE",
"x_transferred"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2009-10/msg00004.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2009-08-11T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Unspecified vulnerability in ViewVC 1.0 before 1.0.9 and 1.1 before 1.1.2 has unknown impact and remote attack vectors related to \"printing illegal parameter names and values.\""
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2009-12-04T10:00:00",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"name": "ADV-2009-2257",
"tags": [
"vdb-entry",
"x_refsource_VUPEN"
],
"url": "http://www.vupen.com/english/advisories/2009/2257"
},
{
"name": "36292",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/36292"
},
{
"name": "FEDORA-2009-8501",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "https://www.redhat.com/archives/fedora-package-announce/2009-August/msg00557.html"
},
{
"name": "FEDORA-2009-8507",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "https://www.redhat.com/archives/fedora-package-announce/2009-August/msg00566.html"
},
{
"name": "[oss-security] 20091016 Re: viewvc: CVE request: XSS and illegal characters while printing name-value pairs",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2009/10/16/10"
},
{
"name": "36311",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/36311"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://viewvc.tigris.org/source/browse/%2Acheckout%2A/viewvc/tags/1.1.2/CHANGES?revision=2235\u0026pathrev=HEAD"
},
{
"name": "SUSE-SR:2009:017",
"tags": [
"vendor-advisory",
"x_refsource_SUSE"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2009-10/msg00004.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "secalert@redhat.com",
"ID": "CVE-2009-3619",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Unspecified vulnerability in ViewVC 1.0 before 1.0.9 and 1.1 before 1.1.2 has unknown impact and remote attack vectors related to \"printing illegal parameter names and values.\""
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "ADV-2009-2257",
"refsource": "VUPEN",
"url": "http://www.vupen.com/english/advisories/2009/2257"
},
{
"name": "36292",
"refsource": "SECUNIA",
"url": "http://secunia.com/advisories/36292"
},
{
"name": "FEDORA-2009-8501",
"refsource": "FEDORA",
"url": "https://www.redhat.com/archives/fedora-package-announce/2009-August/msg00557.html"
},
{
"name": "FEDORA-2009-8507",
"refsource": "FEDORA",
"url": "https://www.redhat.com/archives/fedora-package-announce/2009-August/msg00566.html"
},
{
"name": "[oss-security] 20091016 Re: viewvc: CVE request: XSS and illegal characters while printing name-value pairs",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2009/10/16/10"
},
{
"name": "36311",
"refsource": "SECUNIA",
"url": "http://secunia.com/advisories/36311"
},
{
"name": "http://viewvc.tigris.org/source/browse/*checkout*/viewvc/tags/1.1.2/CHANGES?revision=2235\u0026pathrev=HEAD",
"refsource": "CONFIRM",
"url": "http://viewvc.tigris.org/source/browse/*checkout*/viewvc/tags/1.1.2/CHANGES?revision=2235\u0026pathrev=HEAD"
},
{
"name": "SUSE-SR:2009:017",
"refsource": "SUSE",
"url": "http://lists.opensuse.org/opensuse-security-announce/2009-10/msg00004.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2009-3619",
"datePublished": "2009-11-10T02:00:00",
"dateReserved": "2009-10-09T00:00:00",
"dateUpdated": "2024-08-07T06:31:10.699Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2012-3357
Vulnerability from cvelistv5
Published
2012-07-22 16:00
Modified
2024-08-06 20:05
Severity ?
EPSS score ?
Summary
The SVN revision view (lib/vclib/svn/svn_repos.py) in ViewVC before 1.1.15 does not properly handle log messages when a readable path is copied from an unreadable path, which allows remote attackers to obtain sensitive information, related to a "log msg leak."
References
| ▼ | URL | Tags |
|---|---|---|
| http://www.openwall.com/lists/oss-security/2012/06/25/8 | mailing-list, x_refsource_MLIST | |
| https://exchange.xforce.ibmcloud.com/vulnerabilities/76615 | vdb-entry, x_refsource_XF | |
| http://www.securityfocus.com/bid/54199 | vdb-entry, x_refsource_BID | |
| https://lwn.net/Articles/505096/ | vendor-advisory, x_refsource_SUSE | |
| https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-0175 | x_refsource_CONFIRM | |
| http://viewvc.tigris.org/source/browse/viewvc?view=rev&revision=2758 | x_refsource_CONFIRM | |
| http://osvdb.org/83227 | vdb-entry, x_refsource_OSVDB | |
| http://www.mandriva.com/security/advisories?name=MDVSA-2013:134 | vendor-advisory, x_refsource_MANDRIVA | |
| http://www.debian.org/security/2012/dsa-2563 | vendor-advisory, x_refsource_DEBIAN |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T20:05:12.106Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "[oss-security] 20120625 Re: CVE Request: viewvc",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2012/06/25/8"
},
{
"name": "viewvc-svnra-info-disclosure(76615)",
"tags": [
"vdb-entry",
"x_refsource_XF",
"x_transferred"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/76615"
},
{
"name": "54199",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/54199"
},
{
"name": "openSUSE-SU-2012:0831",
"tags": [
"vendor-advisory",
"x_refsource_SUSE",
"x_transferred"
],
"url": "https://lwn.net/Articles/505096/"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-0175"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://viewvc.tigris.org/source/browse/viewvc?view=rev\u0026revision=2758"
},
{
"name": "83227",
"tags": [
"vdb-entry",
"x_refsource_OSVDB",
"x_transferred"
],
"url": "http://osvdb.org/83227"
},
{
"name": "MDVSA-2013:134",
"tags": [
"vendor-advisory",
"x_refsource_MANDRIVA",
"x_transferred"
],
"url": "http://www.mandriva.com/security/advisories?name=MDVSA-2013:134"
},
{
"name": "DSA-2563",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN",
"x_transferred"
],
"url": "http://www.debian.org/security/2012/dsa-2563"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2012-06-22T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "The SVN revision view (lib/vclib/svn/svn_repos.py) in ViewVC before 1.1.15 does not properly handle log messages when a readable path is copied from an unreadable path, which allows remote attackers to obtain sensitive information, related to a \"log msg leak.\""
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-08-28T12:57:01",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"name": "[oss-security] 20120625 Re: CVE Request: viewvc",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2012/06/25/8"
},
{
"name": "viewvc-svnra-info-disclosure(76615)",
"tags": [
"vdb-entry",
"x_refsource_XF"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/76615"
},
{
"name": "54199",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/54199"
},
{
"name": "openSUSE-SU-2012:0831",
"tags": [
"vendor-advisory",
"x_refsource_SUSE"
],
"url": "https://lwn.net/Articles/505096/"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-0175"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://viewvc.tigris.org/source/browse/viewvc?view=rev\u0026revision=2758"
},
{
"name": "83227",
"tags": [
"vdb-entry",
"x_refsource_OSVDB"
],
"url": "http://osvdb.org/83227"
},
{
"name": "MDVSA-2013:134",
"tags": [
"vendor-advisory",
"x_refsource_MANDRIVA"
],
"url": "http://www.mandriva.com/security/advisories?name=MDVSA-2013:134"
},
{
"name": "DSA-2563",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN"
],
"url": "http://www.debian.org/security/2012/dsa-2563"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2012-3357",
"datePublished": "2012-07-22T16:00:00",
"dateReserved": "2012-06-14T00:00:00",
"dateUpdated": "2024-08-06T20:05:12.106Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2008-1292
Vulnerability from cvelistv5
Published
2008-03-24 17:00
Modified
2024-08-07 08:17
Severity ?
EPSS score ?
Summary
ViewVC before 1.0.5 provides revision metadata without properly checking whether access was intended, which allows remote attackers to obtain sensitive information by reading (1) forbidden pathnames in the revision view, (2) log history that can only be reached by traversing a forbidden object, or (3) forbidden diff view path parameters.
References
| ▼ | URL | Tags |
|---|---|---|
| http://security.gentoo.org/glsa/glsa-200803-29.xml | vendor-advisory, x_refsource_GENTOO | |
| http://secunia.com/advisories/29460 | third-party-advisory, x_refsource_SECUNIA | |
| http://secunia.com/advisories/29176 | third-party-advisory, x_refsource_SECUNIA | |
| http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=471380 | x_refsource_CONFIRM | |
| http://www.vupen.com/english/advisories/2008/0734/references | vdb-entry, x_refsource_VUPEN | |
| http://www.securityfocus.com/bid/28055 | vdb-entry, x_refsource_BID | |
| http://bugs.gentoo.org/show_bug.cgi?id=212288 | x_refsource_CONFIRM | |
| http://viewvc.tigris.org/source/browse/viewvc/trunk/CHANGES?rev=HEAD | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-07T08:17:34.528Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "GLSA-200803-29",
"tags": [
"vendor-advisory",
"x_refsource_GENTOO",
"x_transferred"
],
"url": "http://security.gentoo.org/glsa/glsa-200803-29.xml"
},
{
"name": "29460",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/29460"
},
{
"name": "29176",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/29176"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=471380"
},
{
"name": "ADV-2008-0734",
"tags": [
"vdb-entry",
"x_refsource_VUPEN",
"x_transferred"
],
"url": "http://www.vupen.com/english/advisories/2008/0734/references"
},
{
"name": "28055",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/28055"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://bugs.gentoo.org/show_bug.cgi?id=212288"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://viewvc.tigris.org/source/browse/viewvc/trunk/CHANGES?rev=HEAD"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2008-03-18T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "ViewVC before 1.0.5 provides revision metadata without properly checking whether access was intended, which allows remote attackers to obtain sensitive information by reading (1) forbidden pathnames in the revision view, (2) log history that can only be reached by traversing a forbidden object, or (3) forbidden diff view path parameters."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2009-08-20T09:00:00",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"name": "GLSA-200803-29",
"tags": [
"vendor-advisory",
"x_refsource_GENTOO"
],
"url": "http://security.gentoo.org/glsa/glsa-200803-29.xml"
},
{
"name": "29460",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/29460"
},
{
"name": "29176",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/29176"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=471380"
},
{
"name": "ADV-2008-0734",
"tags": [
"vdb-entry",
"x_refsource_VUPEN"
],
"url": "http://www.vupen.com/english/advisories/2008/0734/references"
},
{
"name": "28055",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/28055"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://bugs.gentoo.org/show_bug.cgi?id=212288"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://viewvc.tigris.org/source/browse/viewvc/trunk/CHANGES?rev=HEAD"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2008-1292",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "ViewVC before 1.0.5 provides revision metadata without properly checking whether access was intended, which allows remote attackers to obtain sensitive information by reading (1) forbidden pathnames in the revision view, (2) log history that can only be reached by traversing a forbidden object, or (3) forbidden diff view path parameters."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "GLSA-200803-29",
"refsource": "GENTOO",
"url": "http://security.gentoo.org/glsa/glsa-200803-29.xml"
},
{
"name": "29460",
"refsource": "SECUNIA",
"url": "http://secunia.com/advisories/29460"
},
{
"name": "29176",
"refsource": "SECUNIA",
"url": "http://secunia.com/advisories/29176"
},
{
"name": "http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=471380",
"refsource": "CONFIRM",
"url": "http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=471380"
},
{
"name": "ADV-2008-0734",
"refsource": "VUPEN",
"url": "http://www.vupen.com/english/advisories/2008/0734/references"
},
{
"name": "28055",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/28055"
},
{
"name": "http://bugs.gentoo.org/show_bug.cgi?id=212288",
"refsource": "CONFIRM",
"url": "http://bugs.gentoo.org/show_bug.cgi?id=212288"
},
{
"name": "http://viewvc.tigris.org/source/browse/viewvc/trunk/CHANGES?rev=HEAD",
"refsource": "CONFIRM",
"url": "http://viewvc.tigris.org/source/browse/viewvc/trunk/CHANGES?rev=HEAD"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2008-1292",
"datePublished": "2008-03-24T17:00:00",
"dateReserved": "2008-03-12T00:00:00",
"dateUpdated": "2024-08-07T08:17:34.528Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2008-1290
Vulnerability from cvelistv5
Published
2008-03-24 17:00
Modified
2024-08-07 08:17
Severity ?
EPSS score ?
Summary
ViewVC before 1.0.5 includes "all-forbidden" files within search results that list CVS or Subversion (SVN) commits, which allows remote attackers to obtain sensitive information.
References
| ▼ | URL | Tags |
|---|---|---|
| http://security.gentoo.org/glsa/glsa-200803-29.xml | vendor-advisory, x_refsource_GENTOO | |
| http://secunia.com/advisories/29460 | third-party-advisory, x_refsource_SECUNIA | |
| http://secunia.com/advisories/29176 | third-party-advisory, x_refsource_SECUNIA | |
| http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=471380 | x_refsource_CONFIRM | |
| http://www.vupen.com/english/advisories/2008/0734/references | vdb-entry, x_refsource_VUPEN | |
| http://www.securityfocus.com/bid/28055 | vdb-entry, x_refsource_BID | |
| http://bugs.gentoo.org/show_bug.cgi?id=212288 | x_refsource_CONFIRM | |
| http://viewvc.tigris.org/source/browse/viewvc/trunk/CHANGES?rev=HEAD | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-07T08:17:33.492Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "GLSA-200803-29",
"tags": [
"vendor-advisory",
"x_refsource_GENTOO",
"x_transferred"
],
"url": "http://security.gentoo.org/glsa/glsa-200803-29.xml"
},
{
"name": "29460",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/29460"
},
{
"name": "29176",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/29176"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=471380"
},
{
"name": "ADV-2008-0734",
"tags": [
"vdb-entry",
"x_refsource_VUPEN",
"x_transferred"
],
"url": "http://www.vupen.com/english/advisories/2008/0734/references"
},
{
"name": "28055",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/28055"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://bugs.gentoo.org/show_bug.cgi?id=212288"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://viewvc.tigris.org/source/browse/viewvc/trunk/CHANGES?rev=HEAD"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2008-03-18T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "ViewVC before 1.0.5 includes \"all-forbidden\" files within search results that list CVS or Subversion (SVN) commits, which allows remote attackers to obtain sensitive information."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2009-08-20T09:00:00",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"name": "GLSA-200803-29",
"tags": [
"vendor-advisory",
"x_refsource_GENTOO"
],
"url": "http://security.gentoo.org/glsa/glsa-200803-29.xml"
},
{
"name": "29460",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/29460"
},
{
"name": "29176",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/29176"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=471380"
},
{
"name": "ADV-2008-0734",
"tags": [
"vdb-entry",
"x_refsource_VUPEN"
],
"url": "http://www.vupen.com/english/advisories/2008/0734/references"
},
{
"name": "28055",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/28055"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://bugs.gentoo.org/show_bug.cgi?id=212288"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://viewvc.tigris.org/source/browse/viewvc/trunk/CHANGES?rev=HEAD"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2008-1290",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "ViewVC before 1.0.5 includes \"all-forbidden\" files within search results that list CVS or Subversion (SVN) commits, which allows remote attackers to obtain sensitive information."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "GLSA-200803-29",
"refsource": "GENTOO",
"url": "http://security.gentoo.org/glsa/glsa-200803-29.xml"
},
{
"name": "29460",
"refsource": "SECUNIA",
"url": "http://secunia.com/advisories/29460"
},
{
"name": "29176",
"refsource": "SECUNIA",
"url": "http://secunia.com/advisories/29176"
},
{
"name": "http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=471380",
"refsource": "CONFIRM",
"url": "http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=471380"
},
{
"name": "ADV-2008-0734",
"refsource": "VUPEN",
"url": "http://www.vupen.com/english/advisories/2008/0734/references"
},
{
"name": "28055",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/28055"
},
{
"name": "http://bugs.gentoo.org/show_bug.cgi?id=212288",
"refsource": "CONFIRM",
"url": "http://bugs.gentoo.org/show_bug.cgi?id=212288"
},
{
"name": "http://viewvc.tigris.org/source/browse/viewvc/trunk/CHANGES?rev=HEAD",
"refsource": "CONFIRM",
"url": "http://viewvc.tigris.org/source/browse/viewvc/trunk/CHANGES?rev=HEAD"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2008-1290",
"datePublished": "2008-03-24T17:00:00",
"dateReserved": "2008-03-12T00:00:00",
"dateUpdated": "2024-08-07T08:17:33.492Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2009-3618
Vulnerability from cvelistv5
Published
2009-11-10 02:00
Modified
2024-08-07 06:31
Severity ?
EPSS score ?
Summary
Cross-site scripting (XSS) vulnerability in viewvc.py in ViewVC 1.0 before 1.0.9 and 1.1 before 1.1.2 allows remote attackers to inject arbitrary web script or HTML via the view parameter. NOTE: some of these details are obtained from third party information.
References
| ▼ | URL | Tags |
|---|---|---|
| http://www.vupen.com/english/advisories/2009/2257 | vdb-entry, x_refsource_VUPEN | |
| http://secunia.com/advisories/36292 | third-party-advisory, x_refsource_SECUNIA | |
| https://www.redhat.com/archives/fedora-package-announce/2009-August/msg00557.html | vendor-advisory, x_refsource_FEDORA | |
| https://www.redhat.com/archives/fedora-package-announce/2009-August/msg00566.html | vendor-advisory, x_refsource_FEDORA | |
| http://osvdb.org/56997 | vdb-entry, x_refsource_OSVDB | |
| http://www.openwall.com/lists/oss-security/2009/10/16/10 | mailing-list, x_refsource_MLIST | |
| http://secunia.com/advisories/36311 | third-party-advisory, x_refsource_SECUNIA | |
| https://exchange.xforce.ibmcloud.com/vulnerabilities/52430 | vdb-entry, x_refsource_XF | |
| http://viewvc.tigris.org/source/browse/%2Acheckout%2A/viewvc/tags/1.1.2/CHANGES?revision=2235&pathrev=HEAD | x_refsource_CONFIRM | |
| http://lists.opensuse.org/opensuse-security-announce/2009-10/msg00004.html | vendor-advisory, x_refsource_SUSE |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-07T06:31:10.734Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "ADV-2009-2257",
"tags": [
"vdb-entry",
"x_refsource_VUPEN",
"x_transferred"
],
"url": "http://www.vupen.com/english/advisories/2009/2257"
},
{
"name": "36292",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/36292"
},
{
"name": "FEDORA-2009-8501",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "https://www.redhat.com/archives/fedora-package-announce/2009-August/msg00557.html"
},
{
"name": "FEDORA-2009-8507",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "https://www.redhat.com/archives/fedora-package-announce/2009-August/msg00566.html"
},
{
"name": "56997",
"tags": [
"vdb-entry",
"x_refsource_OSVDB",
"x_transferred"
],
"url": "http://osvdb.org/56997"
},
{
"name": "[oss-security] 20091016 Re: viewvc: CVE request: XSS and illegal characters while printing name-value pairs",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2009/10/16/10"
},
{
"name": "36311",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/36311"
},
{
"name": "viewvc-view-xss(52430)",
"tags": [
"vdb-entry",
"x_refsource_XF",
"x_transferred"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/52430"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://viewvc.tigris.org/source/browse/%2Acheckout%2A/viewvc/tags/1.1.2/CHANGES?revision=2235\u0026pathrev=HEAD"
},
{
"name": "SUSE-SR:2009:017",
"tags": [
"vendor-advisory",
"x_refsource_SUSE",
"x_transferred"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2009-10/msg00004.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2009-08-11T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting (XSS) vulnerability in viewvc.py in ViewVC 1.0 before 1.0.9 and 1.1 before 1.1.2 allows remote attackers to inject arbitrary web script or HTML via the view parameter. NOTE: some of these details are obtained from third party information."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-08-16T14:57:01",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"name": "ADV-2009-2257",
"tags": [
"vdb-entry",
"x_refsource_VUPEN"
],
"url": "http://www.vupen.com/english/advisories/2009/2257"
},
{
"name": "36292",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/36292"
},
{
"name": "FEDORA-2009-8501",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "https://www.redhat.com/archives/fedora-package-announce/2009-August/msg00557.html"
},
{
"name": "FEDORA-2009-8507",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "https://www.redhat.com/archives/fedora-package-announce/2009-August/msg00566.html"
},
{
"name": "56997",
"tags": [
"vdb-entry",
"x_refsource_OSVDB"
],
"url": "http://osvdb.org/56997"
},
{
"name": "[oss-security] 20091016 Re: viewvc: CVE request: XSS and illegal characters while printing name-value pairs",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2009/10/16/10"
},
{
"name": "36311",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/36311"
},
{
"name": "viewvc-view-xss(52430)",
"tags": [
"vdb-entry",
"x_refsource_XF"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/52430"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://viewvc.tigris.org/source/browse/%2Acheckout%2A/viewvc/tags/1.1.2/CHANGES?revision=2235\u0026pathrev=HEAD"
},
{
"name": "SUSE-SR:2009:017",
"tags": [
"vendor-advisory",
"x_refsource_SUSE"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2009-10/msg00004.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "secalert@redhat.com",
"ID": "CVE-2009-3618",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Cross-site scripting (XSS) vulnerability in viewvc.py in ViewVC 1.0 before 1.0.9 and 1.1 before 1.1.2 allows remote attackers to inject arbitrary web script or HTML via the view parameter. NOTE: some of these details are obtained from third party information."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "ADV-2009-2257",
"refsource": "VUPEN",
"url": "http://www.vupen.com/english/advisories/2009/2257"
},
{
"name": "36292",
"refsource": "SECUNIA",
"url": "http://secunia.com/advisories/36292"
},
{
"name": "FEDORA-2009-8501",
"refsource": "FEDORA",
"url": "https://www.redhat.com/archives/fedora-package-announce/2009-August/msg00557.html"
},
{
"name": "FEDORA-2009-8507",
"refsource": "FEDORA",
"url": "https://www.redhat.com/archives/fedora-package-announce/2009-August/msg00566.html"
},
{
"name": "56997",
"refsource": "OSVDB",
"url": "http://osvdb.org/56997"
},
{
"name": "[oss-security] 20091016 Re: viewvc: CVE request: XSS and illegal characters while printing name-value pairs",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2009/10/16/10"
},
{
"name": "36311",
"refsource": "SECUNIA",
"url": "http://secunia.com/advisories/36311"
},
{
"name": "viewvc-view-xss(52430)",
"refsource": "XF",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/52430"
},
{
"name": "http://viewvc.tigris.org/source/browse/*checkout*/viewvc/tags/1.1.2/CHANGES?revision=2235\u0026pathrev=HEAD",
"refsource": "CONFIRM",
"url": "http://viewvc.tigris.org/source/browse/*checkout*/viewvc/tags/1.1.2/CHANGES?revision=2235\u0026pathrev=HEAD"
},
{
"name": "SUSE-SR:2009:017",
"refsource": "SUSE",
"url": "http://lists.opensuse.org/opensuse-security-announce/2009-10/msg00004.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2009-3618",
"datePublished": "2009-11-10T02:00:00",
"dateReserved": "2009-10-09T00:00:00",
"dateUpdated": "2024-08-07T06:31:10.734Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
Vulnerability from fkie_nvd
Published
2012-11-19 00:55
Modified
2024-11-21 01:43
Severity ?
Summary
Cross-site scripting (XSS) vulnerability in the "extra" details in the DiffSource._get_row function in lib/viewvc.py in ViewVC 1.0.x before 1.0.13 and 1.1.x before 1.1.16 allows remote authenticated users with repository commit access to inject arbitrary web script or HTML via the "function name" line.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| viewvc | viewvc | * | |
| viewvc | viewvc | * | |
| debian | debian_linux | 6.0 | |
| debian | debian_linux | 7.0 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:viewvc:viewvc:*:*:*:*:*:*:*:*",
"matchCriteriaId": "37BA9607-E687-4720-A24E-7AD9F6C6ABEE",
"versionEndExcluding": "1.0.13",
"versionStartIncluding": "1.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:viewvc:viewvc:*:*:*:*:*:*:*:*",
"matchCriteriaId": "6D1981E5-8550-4B67-8FA2-F98373B03AA0",
"versionEndExcluding": "1.1.16",
"versionStartIncluding": "1.1.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:debian:debian_linux:6.0:*:*:*:*:*:*:*",
"matchCriteriaId": "036E8A89-7A16-411F-9D31-676313BB7244",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:debian:debian_linux:7.0:*:*:*:*:*:*:*",
"matchCriteriaId": "16F59A04-14CF-49E2-9973-645477EA09DA",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting (XSS) vulnerability in the \"extra\" details in the DiffSource._get_row function in lib/viewvc.py in ViewVC 1.0.x before 1.0.13 and 1.1.x before 1.1.16 allows remote authenticated users with repository commit access to inject arbitrary web script or HTML via the \"function name\" line."
},
{
"lang": "es",
"value": "Una vulnerabilidad de ejecuci\u00f3n de comandos en sitios cruzados (XSS) en los detalles \"extra\" en la funci\u00f3n DiffSource._get_row en lib/viewvc.py en ViewVC v1.0.x antes de v1.0.13 y v1.1.x antes de v1.1.16 permite inyectar secuencias de comandos web o HTML a usuarios remotos autenticados con acceso al repositorio de versiones a trav\u00e9s de la l\u00ednea nombre de funci\u00f3n (function name\").\r\n"
}
],
"id": "CVE-2012-4533",
"lastModified": "2024-11-21T01:43:04.740",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
]
},
"published": "2012-11-19T00:55:00.900",
"references": [
{
"source": "secalert@redhat.com",
"tags": [
"Issue Tracking",
"Mailing List",
"Third Party Advisory"
],
"url": "http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=691062"
},
{
"source": "secalert@redhat.com",
"tags": [
"Broken Link"
],
"url": "http://osvdb.org/86566"
},
{
"source": "secalert@redhat.com",
"tags": [
"Third Party Advisory"
],
"url": "http://secunia.com/advisories/51041"
},
{
"source": "secalert@redhat.com",
"tags": [
"Third Party Advisory"
],
"url": "http://secunia.com/advisories/51072"
},
{
"source": "secalert@redhat.com",
"tags": [
"Third Party Advisory"
],
"url": "http://viewvc.tigris.org/issues/show_bug.cgi?id=515"
},
{
"source": "secalert@redhat.com",
"url": "http://viewvc.tigris.org/source/browse/%2Acheckout%2A/viewvc/tags/1.0.13/CHANGES"
},
{
"source": "secalert@redhat.com",
"url": "http://viewvc.tigris.org/source/browse/%2Acheckout%2A/viewvc/tags/1.1.16/CHANGES"
},
{
"source": "secalert@redhat.com",
"tags": [
"Third Party Advisory"
],
"url": "http://viewvc.tigris.org/source/browse/viewvc?view=rev\u0026revision=2792"
},
{
"source": "secalert@redhat.com",
"tags": [
"Third Party Advisory"
],
"url": "http://viewvc.tigris.org/source/browse/viewvc?view=rev\u0026revision=2794"
},
{
"source": "secalert@redhat.com",
"tags": [
"Third Party Advisory"
],
"url": "http://www.debian.org/security/2012/dsa-2563"
},
{
"source": "secalert@redhat.com",
"tags": [
"Third Party Advisory"
],
"url": "http://www.mandriva.com/security/advisories?name=MDVSA-2013:134"
},
{
"source": "secalert@redhat.com",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2012/10/21/2"
},
{
"source": "secalert@redhat.com",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2012/10/21/3"
},
{
"source": "secalert@redhat.com",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/56161"
},
{
"source": "secalert@redhat.com",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/79561"
},
{
"source": "secalert@redhat.com",
"tags": [
"Third Party Advisory"
],
"url": "https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-0313"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Mailing List",
"Third Party Advisory"
],
"url": "http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=691062"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Broken Link"
],
"url": "http://osvdb.org/86566"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "http://secunia.com/advisories/51041"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "http://secunia.com/advisories/51072"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "http://viewvc.tigris.org/issues/show_bug.cgi?id=515"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://viewvc.tigris.org/source/browse/%2Acheckout%2A/viewvc/tags/1.0.13/CHANGES"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://viewvc.tigris.org/source/browse/%2Acheckout%2A/viewvc/tags/1.1.16/CHANGES"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "http://viewvc.tigris.org/source/browse/viewvc?view=rev\u0026revision=2792"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "http://viewvc.tigris.org/source/browse/viewvc?view=rev\u0026revision=2794"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "http://www.debian.org/security/2012/dsa-2563"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "http://www.mandriva.com/security/advisories?name=MDVSA-2013:134"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2012/10/21/2"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2012/10/21/3"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/56161"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/79561"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-0313"
}
],
"sourceIdentifier": "secalert@redhat.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2017-03-15 14:59
Modified
2024-11-21 03:28
Severity ?
Summary
Cross-site scripting (XSS) vulnerability in the nav_path function in lib/viewvc.py in ViewVC before 1.0.14 and 1.1.x before 1.1.26 allows remote attackers to inject arbitrary web script or HTML via the nav_data name.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| debian | debian_linux | 8.0 | |
| opensuse | leap | 42.2 | |
| opensuse_project | leap | 42.1 | |
| viewvc | viewvc | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*",
"matchCriteriaId": "C11E6FB0-C8C0-4527-9AA0-CB9B316F8F43",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:opensuse:leap:42.2:*:*:*:*:*:*:*",
"matchCriteriaId": "1EA337A3-B9A3-4962-B8BD-8E0C7C5B28EB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:opensuse_project:leap:42.1:*:*:*:*:*:*:*",
"matchCriteriaId": "CF605E46-ADCE-45B3-BBBA-E593D3CEE2A6",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:viewvc:viewvc:*:*:*:*:*:*:*:*",
"matchCriteriaId": "48F736A6-92CB-475A-9BCB-1FD1A1066E7F",
"versionEndIncluding": "1.1.25",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting (XSS) vulnerability in the nav_path function in lib/viewvc.py in ViewVC before 1.0.14 and 1.1.x before 1.1.26 allows remote attackers to inject arbitrary web script or HTML via the nav_data name."
},
{
"lang": "es",
"value": "La vulnerabilidad tipo cross-site-scripting (XSS) en la funci\u00f3n nav_path en el archivo lib/viewvc.py en ViewVC anterior a versi\u00f3n 1.0.14 y 1.1.x anterior a versi\u00f3n 1.1.26, permite a los atacantes remotos inyectar scripts web o HTML arbitrarios por medio del nombre nav_data."
}
],
"id": "CVE-2017-5938",
"lastModified": "2024-11-21T03:28:42.573",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.0"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2017-03-15T14:59:00.557",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
],
"url": "http://lists.opensuse.org/opensuse-updates/2017-02/msg00082.html"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
],
"url": "http://www.debian.org/security/2017/dsa-3784"
},
{
"source": "cve@mitre.org",
"tags": [
"Mailing List",
"Patch",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2017/02/09/6"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/96185"
},
{
"source": "cve@mitre.org",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/viewvc/viewvc/commit/9dcfc7daa4c940992920d3b2fbd317da20e44aad"
},
{
"source": "cve@mitre.org",
"url": "https://github.com/viewvc/viewvc/issues/137"
},
{
"source": "cve@mitre.org",
"url": "https://github.com/viewvc/viewvc/releases/tag/1.0.14"
},
{
"source": "cve@mitre.org",
"tags": [
"Release Notes",
"Third Party Advisory"
],
"url": "https://github.com/viewvc/viewvc/releases/tag/1.1.26"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "http://lists.opensuse.org/opensuse-updates/2017-02/msg00082.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "http://www.debian.org/security/2017/dsa-3784"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Patch",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2017/02/09/6"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/96185"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/viewvc/viewvc/commit/9dcfc7daa4c940992920d3b2fbd317da20e44aad"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://github.com/viewvc/viewvc/issues/137"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://github.com/viewvc/viewvc/releases/tag/1.0.14"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes",
"Third Party Advisory"
],
"url": "https://github.com/viewvc/viewvc/releases/tag/1.1.26"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2012-07-22 16:55
Modified
2024-11-21 01:40
Severity ?
Summary
The remote SVN views functionality (lib/vclib/svn/svn_ra.py) in ViewVC before 1.1.15 does not properly perform authorization, which allows remote attackers to bypass intended access restrictions via unspecified vectors.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| viewvc | viewvc | * | |
| viewvc | viewvc | 0.8 | |
| viewvc | viewvc | 0.9 | |
| viewvc | viewvc | 0.9.1 | |
| viewvc | viewvc | 0.9.2 | |
| viewvc | viewvc | 0.9.3 | |
| viewvc | viewvc | 0.9.4 | |
| viewvc | viewvc | 1.0.0 | |
| viewvc | viewvc | 1.0.1 | |
| viewvc | viewvc | 1.0.2 | |
| viewvc | viewvc | 1.0.3 | |
| viewvc | viewvc | 1.0.4 | |
| viewvc | viewvc | 1.0.5 | |
| viewvc | viewvc | 1.0.6 | |
| viewvc | viewvc | 1.0.7 | |
| viewvc | viewvc | 1.0.8 | |
| viewvc | viewvc | 1.0.9 | |
| viewvc | viewvc | 1.0.10 | |
| viewvc | viewvc | 1.0.11 | |
| viewvc | viewvc | 1.1.0 | |
| viewvc | viewvc | 1.1.1 | |
| viewvc | viewvc | 1.1.2 | |
| viewvc | viewvc | 1.1.3 | |
| viewvc | viewvc | 1.1.4 | |
| viewvc | viewvc | 1.1.5 | |
| viewvc | viewvc | 1.1.6 | |
| viewvc | viewvc | 1.1.7 | |
| viewvc | viewvc | 1.1.8 | |
| viewvc | viewvc | 1.1.9 | |
| viewvc | viewvc | 1.1.10 | |
| viewvc | viewvc | 1.1.11 | |
| viewvc | viewvc | 1.1.12 | |
| viewvc | viewvc | 1.1.13 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:viewvc:viewvc:*:*:*:*:*:*:*:*",
"matchCriteriaId": "E32A343E-869D-4BEB-AB65-094C1E548812",
"versionEndIncluding": "1.1.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:viewvc:viewvc:0.8:*:*:*:*:*:*:*",
"matchCriteriaId": "3DB85009-6655-4288-B06B-18074F69EF67",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:viewvc:viewvc:0.9:*:*:*:*:*:*:*",
"matchCriteriaId": "8344FE80-0BEF-4FE4-A87C-8A03CF83406B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:viewvc:viewvc:0.9.1:*:*:*:*:*:*:*",
"matchCriteriaId": "2C1671BC-6DF0-4FD3-991B-B342E1DA1EB7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:viewvc:viewvc:0.9.2:*:*:*:*:*:*:*",
"matchCriteriaId": "7D01FEFC-DE9B-4CBD-9F3E-C5F37A7FA70C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:viewvc:viewvc:0.9.3:*:*:*:*:*:*:*",
"matchCriteriaId": "67365FF3-29FE-40BD-8986-467AFCDD2210",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:viewvc:viewvc:0.9.4:*:*:*:*:*:*:*",
"matchCriteriaId": "90060F09-83C0-480F-AAF6-5006CD439E7B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:viewvc:viewvc:1.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "59DBEDF6-248F-4850-B50C-61835DB89374",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:viewvc:viewvc:1.0.1:*:*:*:*:*:*:*",
"matchCriteriaId": "007977CF-1BF9-4713-AFDF-50DEE2530AD5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:viewvc:viewvc:1.0.2:*:*:*:*:*:*:*",
"matchCriteriaId": "793F6DB3-A6C2-4813-BD2D-AF34D85F6CCA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:viewvc:viewvc:1.0.3:*:*:*:*:*:*:*",
"matchCriteriaId": "1B6F2BC5-D099-427C-9513-75551ABF1997",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:viewvc:viewvc:1.0.4:*:*:*:*:*:*:*",
"matchCriteriaId": "4748AA05-D2ED-4365-83AE-74CD33592B5D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:viewvc:viewvc:1.0.5:*:*:*:*:*:*:*",
"matchCriteriaId": "91ADB624-1826-405C-BB1E-3D286ED03D5A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:viewvc:viewvc:1.0.6:*:*:*:*:*:*:*",
"matchCriteriaId": "A4AE31C7-1929-48A4-8A3A-860A110E4820",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:viewvc:viewvc:1.0.7:*:*:*:*:*:*:*",
"matchCriteriaId": "F71721BF-9010-4595-96F8-CF499B0FFE6D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:viewvc:viewvc:1.0.8:*:*:*:*:*:*:*",
"matchCriteriaId": "96AD0DD2-206B-4231-B09E-9B83F6E0239E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:viewvc:viewvc:1.0.9:*:*:*:*:*:*:*",
"matchCriteriaId": "2A7F4AAD-EB09-47F1-A7B7-5436E766A0C6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:viewvc:viewvc:1.0.10:*:*:*:*:*:*:*",
"matchCriteriaId": "E0D457A6-C530-42AC-9BCF-640A89D9BF5C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:viewvc:viewvc:1.0.11:*:*:*:*:*:*:*",
"matchCriteriaId": "6AD3EFA7-5B31-453C-8319-8A943C149731",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:viewvc:viewvc:1.1.0:*:*:*:*:*:*:*",
"matchCriteriaId": "8ECD4F7E-011C-4E92-9D8E-AC378B204C05",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:viewvc:viewvc:1.1.1:*:*:*:*:*:*:*",
"matchCriteriaId": "4FE78493-E4EB-4555-BA56-A29AFE680B56",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:viewvc:viewvc:1.1.2:*:*:*:*:*:*:*",
"matchCriteriaId": "C076220E-CFB1-44B0-9884-840F4C5B4F9A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:viewvc:viewvc:1.1.3:*:*:*:*:*:*:*",
"matchCriteriaId": "77350E39-A3A7-463E-BF70-D1BD99F7C23E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:viewvc:viewvc:1.1.4:*:*:*:*:*:*:*",
"matchCriteriaId": "AB57E24E-00A7-4099-8135-64B0E165FEBF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:viewvc:viewvc:1.1.5:*:*:*:*:*:*:*",
"matchCriteriaId": "46A3CC38-5905-40B1-BD8B-EA378D8F5106",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:viewvc:viewvc:1.1.6:*:*:*:*:*:*:*",
"matchCriteriaId": "402EB3C0-3B69-4EF5-8342-1BCC411E8788",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:viewvc:viewvc:1.1.7:*:*:*:*:*:*:*",
"matchCriteriaId": "276B3475-7B55-48CC-8F34-0439AE5B8291",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:viewvc:viewvc:1.1.8:*:*:*:*:*:*:*",
"matchCriteriaId": "14320E94-C5AA-4E5B-8005-C38BD4F9989F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:viewvc:viewvc:1.1.9:*:*:*:*:*:*:*",
"matchCriteriaId": "110D1159-D604-443F-85F8-670570FF7679",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:viewvc:viewvc:1.1.10:*:*:*:*:*:*:*",
"matchCriteriaId": "7419BB99-B279-44B7-A41F-765805695DF7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:viewvc:viewvc:1.1.11:*:*:*:*:*:*:*",
"matchCriteriaId": "D5D05FE1-6EA9-4C71-8F4E-8507C5F87952",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:viewvc:viewvc:1.1.12:*:*:*:*:*:*:*",
"matchCriteriaId": "38AA489B-4287-48D9-B771-C066E41A7B52",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:viewvc:viewvc:1.1.13:*:*:*:*:*:*:*",
"matchCriteriaId": "B8E798B8-B3E0-4359-BEFE-777F71AB4ECB",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The remote SVN views functionality (lib/vclib/svn/svn_ra.py) in ViewVC before 1.1.15 does not properly perform authorization, which allows remote attackers to bypass intended access restrictions via unspecified vectors."
},
{
"lang": "es",
"value": "La vista SVN de funcionalidad remota (lib/vclib/svn/svn_ra.py) en ViewVC anterior a v1.1.15 no realiza correctamente la autorizaci\u00f3n, permite a atacantes remotos eludir restricciones de acceso a trav\u00e9s destinados vectores no especificados."
}
],
"id": "CVE-2012-3356",
"lastModified": "2024-11-21T01:40:41.770",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2012-07-22T16:55:39.523",
"references": [
{
"source": "secalert@redhat.com",
"url": "http://osvdb.org/83225"
},
{
"source": "secalert@redhat.com",
"url": "http://viewvc.tigris.org/issues/show_bug.cgi?id=353"
},
{
"source": "secalert@redhat.com",
"url": "http://viewvc.tigris.org/source/browse/%2Acheckout%2A/viewvc/tags/1.1.15/CHANGES"
},
{
"source": "secalert@redhat.com",
"url": "http://viewvc.tigris.org/source/browse/viewvc?view=rev\u0026revision=2755"
},
{
"source": "secalert@redhat.com",
"url": "http://viewvc.tigris.org/source/browse/viewvc?view=rev\u0026revision=2756"
},
{
"source": "secalert@redhat.com",
"url": "http://viewvc.tigris.org/source/browse/viewvc?view=rev\u0026revision=2757"
},
{
"source": "secalert@redhat.com",
"url": "http://viewvc.tigris.org/source/browse/viewvc?view=rev\u0026revision=2759"
},
{
"source": "secalert@redhat.com",
"url": "http://viewvc.tigris.org/source/browse/viewvc?view=rev\u0026revision=2760"
},
{
"source": "secalert@redhat.com",
"url": "http://www.debian.org/security/2012/dsa-2563"
},
{
"source": "secalert@redhat.com",
"url": "http://www.mandriva.com/security/advisories?name=MDVSA-2013:134"
},
{
"source": "secalert@redhat.com",
"url": "http://www.openwall.com/lists/oss-security/2012/06/25/8"
},
{
"source": "secalert@redhat.com",
"url": "http://www.securityfocus.com/bid/54197"
},
{
"source": "secalert@redhat.com",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/76614"
},
{
"source": "secalert@redhat.com",
"url": "https://lwn.net/Articles/505096/"
},
{
"source": "secalert@redhat.com",
"url": "https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-0175"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://osvdb.org/83225"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://viewvc.tigris.org/issues/show_bug.cgi?id=353"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://viewvc.tigris.org/source/browse/%2Acheckout%2A/viewvc/tags/1.1.15/CHANGES"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://viewvc.tigris.org/source/browse/viewvc?view=rev\u0026revision=2755"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://viewvc.tigris.org/source/browse/viewvc?view=rev\u0026revision=2756"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://viewvc.tigris.org/source/browse/viewvc?view=rev\u0026revision=2757"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://viewvc.tigris.org/source/browse/viewvc?view=rev\u0026revision=2759"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://viewvc.tigris.org/source/browse/viewvc?view=rev\u0026revision=2760"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.debian.org/security/2012/dsa-2563"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.mandriva.com/security/advisories?name=MDVSA-2013:134"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.openwall.com/lists/oss-security/2012/06/25/8"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securityfocus.com/bid/54197"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/76614"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lwn.net/Articles/505096/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-0175"
}
],
"sourceIdentifier": "secalert@redhat.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-287"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2010-01-29 18:30
Modified
2024-11-21 01:11
Severity ?
Summary
query.py in the query interface in ViewVC before 1.1.3 does not reject configurations that specify an unsupported authorizer for a root, which might allow remote attackers to bypass intended access restrictions via a query.
References
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:viewvc:viewvc:*:*:*:*:*:*:*:*",
"matchCriteriaId": "C05DE946-9350-42A9-A399-9B8FE719A46A",
"versionEndIncluding": "1.1.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:viewvc:viewvc:1.0.1:*:*:*:*:*:*:*",
"matchCriteriaId": "007977CF-1BF9-4713-AFDF-50DEE2530AD5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:viewvc:viewvc:1.0.2:*:*:*:*:*:*:*",
"matchCriteriaId": "793F6DB3-A6C2-4813-BD2D-AF34D85F6CCA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:viewvc:viewvc:1.0.3:*:*:*:*:*:*:*",
"matchCriteriaId": "1B6F2BC5-D099-427C-9513-75551ABF1997",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:viewvc:viewvc:1.0.4:*:*:*:*:*:*:*",
"matchCriteriaId": "4748AA05-D2ED-4365-83AE-74CD33592B5D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:viewvc:viewvc:1.0.5:*:*:*:*:*:*:*",
"matchCriteriaId": "91ADB624-1826-405C-BB1E-3D286ED03D5A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:viewvc:viewvc:1.0.6:*:*:*:*:*:*:*",
"matchCriteriaId": "A4AE31C7-1929-48A4-8A3A-860A110E4820",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:viewvc:viewvc:1.0.7:*:*:*:*:*:*:*",
"matchCriteriaId": "F71721BF-9010-4595-96F8-CF499B0FFE6D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:viewvc:viewvc:1.0.8:*:*:*:*:*:*:*",
"matchCriteriaId": "96AD0DD2-206B-4231-B09E-9B83F6E0239E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:viewvc:viewvc:1.1.0:*:*:*:*:*:*:*",
"matchCriteriaId": "8ECD4F7E-011C-4E92-9D8E-AC378B204C05",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:viewvc:viewvc:1.1.1:*:*:*:*:*:*:*",
"matchCriteriaId": "4FE78493-E4EB-4555-BA56-A29AFE680B56",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "query.py in the query interface in ViewVC before 1.1.3 does not reject configurations that specify an unsupported authorizer for a root, which might allow remote attackers to bypass intended access restrictions via a query."
},
{
"lang": "es",
"value": "query.py en el interfaz de consultas en ViewVC anterior a v 1.1.3., no rechaza las configuraciones que especifican un autorizador no soportado para root, lo que podr\u00eda pertmitir a atacantes remotos evitar las restricciones de acceso establecidas a trav\u00e9s de una consulta."
}
],
"id": "CVE-2010-0005",
"lastModified": "2024-11-21T01:11:18.683",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2010-01-29T18:30:01.057",
"references": [
{
"source": "secalert@redhat.com",
"url": "http://lists.opensuse.org/opensuse-security-announce/2010-01/msg00009.html"
},
{
"source": "secalert@redhat.com",
"tags": [
"Patch"
],
"url": "http://viewvc.tigris.org/source/browse/viewvc/trunk/CHANGES?r1=2242\u0026r2=2313\u0026pathrev=HEAD"
},
{
"source": "secalert@redhat.com",
"url": "http://viewvc.tigris.org/source/browse/viewvc?view=rev\u0026revision=2300"
},
{
"source": "secalert@redhat.com",
"url": "http://www.openwall.com/lists/oss-security/2010/01/11/2"
},
{
"source": "secalert@redhat.com",
"url": "http://www.openwall.com/lists/oss-security/2010/01/13/5"
},
{
"source": "secalert@redhat.com",
"url": "https://www.redhat.com/archives/fedora-package-announce/2009-December/msg01421.html"
},
{
"source": "secalert@redhat.com",
"url": "https://www.redhat.com/archives/fedora-package-announce/2009-December/msg01464.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://lists.opensuse.org/opensuse-security-announce/2010-01/msg00009.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "http://viewvc.tigris.org/source/browse/viewvc/trunk/CHANGES?r1=2242\u0026r2=2313\u0026pathrev=HEAD"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://viewvc.tigris.org/source/browse/viewvc?view=rev\u0026revision=2300"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.openwall.com/lists/oss-security/2010/01/11/2"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.openwall.com/lists/oss-security/2010/01/13/5"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://www.redhat.com/archives/fedora-package-announce/2009-December/msg01421.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://www.redhat.com/archives/fedora-package-announce/2009-December/msg01464.html"
}
],
"sourceIdentifier": "secalert@redhat.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-264"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2008-09-30 16:13
Modified
2024-11-21 00:51
Severity ?
Summary
lib/viewvc.py in ViewVC 1.0.5 uses the content-type parameter in the HTTP request for the Content-Type header in the HTTP response, which allows remote attackers to cause content to be misinterpreted by the browser via a content-type parameter that is inconsistent with the requested object. NOTE: this issue might not be a vulnerability, since it requires attacker access to the repository that is being viewed.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:viewvc:viewvc:1.0.5:*:*:*:*:*:*:*",
"matchCriteriaId": "91ADB624-1826-405C-BB1E-3D286ED03D5A",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "lib/viewvc.py in ViewVC 1.0.5 uses the content-type parameter in the HTTP request for the Content-Type header in the HTTP response, which allows remote attackers to cause content to be misinterpreted by the browser via a content-type parameter that is inconsistent with the requested object. NOTE: this issue might not be a vulnerability, since it requires attacker access to the repository that is being viewed."
},
{
"lang": "es",
"value": "lib/viewvc.py en ViewVC v1.0.5 utiliza el parametro \"content-type\" en la peticion HTTP para la cabecera \"content-type\" en la respuesta HTTP, que permite a los atacantes remotos provocar una malinterpretacion del contenido por parte del navegador, a traves de el parametro \"content-type\" que no corresponde con el objeto solicitado.\r\nNOTA: Esta caracteristica puede no ser una vulnerabilidad, dado que requiere que el atacante acceda al repositorio que esta viendo."
}
],
"id": "CVE-2008-4325",
"lastModified": "2024-11-21T00:51:23.650",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 5.8,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 4.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
]
},
"published": "2008-09-30T16:13:50.360",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Patch"
],
"url": "http://viewvc.tigris.org/issues/show_bug.cgi?id=354"
},
{
"source": "cve@mitre.org",
"url": "http://viewvc.tigris.org/source/browse/viewvc/trunk/lib/viewvc.py?rev=2011\u0026r1=1968\u0026r2=1978"
},
{
"source": "cve@mitre.org",
"url": "http://viewvc.tigris.org/source/browse/viewvc?rev=1978\u0026view=rev"
},
{
"source": "cve@mitre.org",
"url": "http://www.openwall.com/lists/oss-security/2008/09/19/4"
},
{
"source": "cve@mitre.org",
"url": "http://www.openwall.com/lists/oss-security/2008/09/20/1"
},
{
"source": "cve@mitre.org",
"url": "https://www.redhat.com/archives/fedora-package-announce/2008-September/msg01101.html"
},
{
"source": "cve@mitre.org",
"url": "https://www.redhat.com/archives/fedora-package-announce/2008-September/msg01142.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "http://viewvc.tigris.org/issues/show_bug.cgi?id=354"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://viewvc.tigris.org/source/browse/viewvc/trunk/lib/viewvc.py?rev=2011\u0026r1=1968\u0026r2=1978"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://viewvc.tigris.org/source/browse/viewvc?rev=1978\u0026view=rev"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.openwall.com/lists/oss-security/2008/09/19/4"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.openwall.com/lists/oss-security/2008/09/20/1"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://www.redhat.com/archives/fedora-package-announce/2008-September/msg01101.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://www.redhat.com/archives/fedora-package-announce/2008-September/msg01142.html"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-noinfo"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2009-11-10 02:30
Modified
2024-11-21 01:07
Severity ?
Summary
Unspecified vulnerability in ViewVC 1.0 before 1.0.9 and 1.1 before 1.1.2 has unknown impact and remote attack vectors related to "printing illegal parameter names and values."
References
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:viewvc:viewvc:1.0.1:*:*:*:*:*:*:*",
"matchCriteriaId": "007977CF-1BF9-4713-AFDF-50DEE2530AD5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:viewvc:viewvc:1.0.2:*:*:*:*:*:*:*",
"matchCriteriaId": "793F6DB3-A6C2-4813-BD2D-AF34D85F6CCA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:viewvc:viewvc:1.0.3:*:*:*:*:*:*:*",
"matchCriteriaId": "1B6F2BC5-D099-427C-9513-75551ABF1997",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:viewvc:viewvc:1.0.4:*:*:*:*:*:*:*",
"matchCriteriaId": "4748AA05-D2ED-4365-83AE-74CD33592B5D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:viewvc:viewvc:1.0.5:*:*:*:*:*:*:*",
"matchCriteriaId": "91ADB624-1826-405C-BB1E-3D286ED03D5A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:viewvc:viewvc:1.0.6:*:*:*:*:*:*:*",
"matchCriteriaId": "A4AE31C7-1929-48A4-8A3A-860A110E4820",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:viewvc:viewvc:1.0.7:*:*:*:*:*:*:*",
"matchCriteriaId": "F71721BF-9010-4595-96F8-CF499B0FFE6D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:viewvc:viewvc:1.0.8:*:*:*:*:*:*:*",
"matchCriteriaId": "96AD0DD2-206B-4231-B09E-9B83F6E0239E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:viewvc:viewvc:1.1.0:*:*:*:*:*:*:*",
"matchCriteriaId": "8ECD4F7E-011C-4E92-9D8E-AC378B204C05",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:viewvc:viewvc:1.1.1:*:*:*:*:*:*:*",
"matchCriteriaId": "4FE78493-E4EB-4555-BA56-A29AFE680B56",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Unspecified vulnerability in ViewVC 1.0 before 1.0.9 and 1.1 before 1.1.2 has unknown impact and remote attack vectors related to \"printing illegal parameter names and values.\""
},
{
"lang": "es",
"value": "Vulnerabilidad sin especificar en ViewVC v1.0 anterior a v1.0.9 y v1.1 anterior a v1.1.2, tiene un impacto y vectores de ataque desconocidos relacionado con la \"impresi\u00f3n ilegal de nombres de par\u00e1metros y valores\"."
}
],
"id": "CVE-2009-3619",
"lastModified": "2024-11-21T01:07:49.170",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": true,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2009-11-10T02:30:00.250",
"references": [
{
"source": "secalert@redhat.com",
"url": "http://lists.opensuse.org/opensuse-security-announce/2009-10/msg00004.html"
},
{
"source": "secalert@redhat.com",
"tags": [
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/36292"
},
{
"source": "secalert@redhat.com",
"tags": [
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/36311"
},
{
"source": "secalert@redhat.com",
"url": "http://viewvc.tigris.org/source/browse/%2Acheckout%2A/viewvc/tags/1.1.2/CHANGES?revision=2235\u0026pathrev=HEAD"
},
{
"source": "secalert@redhat.com",
"url": "http://www.openwall.com/lists/oss-security/2009/10/16/10"
},
{
"source": "secalert@redhat.com",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "http://www.vupen.com/english/advisories/2009/2257"
},
{
"source": "secalert@redhat.com",
"url": "https://www.redhat.com/archives/fedora-package-announce/2009-August/msg00557.html"
},
{
"source": "secalert@redhat.com",
"url": "https://www.redhat.com/archives/fedora-package-announce/2009-August/msg00566.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://lists.opensuse.org/opensuse-security-announce/2009-10/msg00004.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/36292"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/36311"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://viewvc.tigris.org/source/browse/%2Acheckout%2A/viewvc/tags/1.1.2/CHANGES?revision=2235\u0026pathrev=HEAD"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.openwall.com/lists/oss-security/2009/10/16/10"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "http://www.vupen.com/english/advisories/2009/2257"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://www.redhat.com/archives/fedora-package-announce/2009-August/msg00557.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://www.redhat.com/archives/fedora-package-announce/2009-August/msg00566.html"
}
],
"sourceIdentifier": "secalert@redhat.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-noinfo"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2011-05-23 22:55
Modified
2024-11-21 01:11
Severity ?
Summary
ViewVC before 1.1.11 allows remote attackers to bypass the cvsdb row_limit configuration setting, and consequently conduct resource-consumption attacks, via the limit parameter, as demonstrated by a "query revision history" request.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| viewvc | viewvc | * | |
| viewvc | viewvc | 0.8 | |
| viewvc | viewvc | 0.9 | |
| viewvc | viewvc | 0.9.1 | |
| viewvc | viewvc | 0.9.2 | |
| viewvc | viewvc | 0.9.3 | |
| viewvc | viewvc | 0.9.4 | |
| viewvc | viewvc | 1.0.0 | |
| viewvc | viewvc | 1.0.1 | |
| viewvc | viewvc | 1.0.2 | |
| viewvc | viewvc | 1.0.3 | |
| viewvc | viewvc | 1.0.4 | |
| viewvc | viewvc | 1.0.5 | |
| viewvc | viewvc | 1.0.6 | |
| viewvc | viewvc | 1.0.7 | |
| viewvc | viewvc | 1.0.8 | |
| viewvc | viewvc | 1.0.9 | |
| viewvc | viewvc | 1.0.10 | |
| viewvc | viewvc | 1.0.11 | |
| viewvc | viewvc | 1.1.0 | |
| viewvc | viewvc | 1.1.1 | |
| viewvc | viewvc | 1.1.2 | |
| viewvc | viewvc | 1.1.3 | |
| viewvc | viewvc | 1.1.4 | |
| viewvc | viewvc | 1.1.5 | |
| viewvc | viewvc | 1.1.6 | |
| viewvc | viewvc | 1.1.7 | |
| viewvc | viewvc | 1.1.8 | |
| viewvc | viewvc | 1.1.9 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:viewvc:viewvc:*:*:*:*:*:*:*:*",
"matchCriteriaId": "3D91E86E-CC7B-47E5-9880-1E0CB9394D2A",
"versionEndIncluding": "1.1.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:viewvc:viewvc:0.8:*:*:*:*:*:*:*",
"matchCriteriaId": "3DB85009-6655-4288-B06B-18074F69EF67",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:viewvc:viewvc:0.9:*:*:*:*:*:*:*",
"matchCriteriaId": "8344FE80-0BEF-4FE4-A87C-8A03CF83406B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:viewvc:viewvc:0.9.1:*:*:*:*:*:*:*",
"matchCriteriaId": "2C1671BC-6DF0-4FD3-991B-B342E1DA1EB7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:viewvc:viewvc:0.9.2:*:*:*:*:*:*:*",
"matchCriteriaId": "7D01FEFC-DE9B-4CBD-9F3E-C5F37A7FA70C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:viewvc:viewvc:0.9.3:*:*:*:*:*:*:*",
"matchCriteriaId": "67365FF3-29FE-40BD-8986-467AFCDD2210",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:viewvc:viewvc:0.9.4:*:*:*:*:*:*:*",
"matchCriteriaId": "90060F09-83C0-480F-AAF6-5006CD439E7B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:viewvc:viewvc:1.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "59DBEDF6-248F-4850-B50C-61835DB89374",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:viewvc:viewvc:1.0.1:*:*:*:*:*:*:*",
"matchCriteriaId": "007977CF-1BF9-4713-AFDF-50DEE2530AD5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:viewvc:viewvc:1.0.2:*:*:*:*:*:*:*",
"matchCriteriaId": "793F6DB3-A6C2-4813-BD2D-AF34D85F6CCA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:viewvc:viewvc:1.0.3:*:*:*:*:*:*:*",
"matchCriteriaId": "1B6F2BC5-D099-427C-9513-75551ABF1997",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:viewvc:viewvc:1.0.4:*:*:*:*:*:*:*",
"matchCriteriaId": "4748AA05-D2ED-4365-83AE-74CD33592B5D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:viewvc:viewvc:1.0.5:*:*:*:*:*:*:*",
"matchCriteriaId": "91ADB624-1826-405C-BB1E-3D286ED03D5A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:viewvc:viewvc:1.0.6:*:*:*:*:*:*:*",
"matchCriteriaId": "A4AE31C7-1929-48A4-8A3A-860A110E4820",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:viewvc:viewvc:1.0.7:*:*:*:*:*:*:*",
"matchCriteriaId": "F71721BF-9010-4595-96F8-CF499B0FFE6D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:viewvc:viewvc:1.0.8:*:*:*:*:*:*:*",
"matchCriteriaId": "96AD0DD2-206B-4231-B09E-9B83F6E0239E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:viewvc:viewvc:1.0.9:*:*:*:*:*:*:*",
"matchCriteriaId": "2A7F4AAD-EB09-47F1-A7B7-5436E766A0C6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:viewvc:viewvc:1.0.10:*:*:*:*:*:*:*",
"matchCriteriaId": "E0D457A6-C530-42AC-9BCF-640A89D9BF5C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:viewvc:viewvc:1.0.11:*:*:*:*:*:*:*",
"matchCriteriaId": "6AD3EFA7-5B31-453C-8319-8A943C149731",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:viewvc:viewvc:1.1.0:*:*:*:*:*:*:*",
"matchCriteriaId": "8ECD4F7E-011C-4E92-9D8E-AC378B204C05",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:viewvc:viewvc:1.1.1:*:*:*:*:*:*:*",
"matchCriteriaId": "4FE78493-E4EB-4555-BA56-A29AFE680B56",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:viewvc:viewvc:1.1.2:*:*:*:*:*:*:*",
"matchCriteriaId": "C076220E-CFB1-44B0-9884-840F4C5B4F9A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:viewvc:viewvc:1.1.3:*:*:*:*:*:*:*",
"matchCriteriaId": "77350E39-A3A7-463E-BF70-D1BD99F7C23E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:viewvc:viewvc:1.1.4:*:*:*:*:*:*:*",
"matchCriteriaId": "AB57E24E-00A7-4099-8135-64B0E165FEBF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:viewvc:viewvc:1.1.5:*:*:*:*:*:*:*",
"matchCriteriaId": "46A3CC38-5905-40B1-BD8B-EA378D8F5106",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:viewvc:viewvc:1.1.6:*:*:*:*:*:*:*",
"matchCriteriaId": "402EB3C0-3B69-4EF5-8342-1BCC411E8788",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:viewvc:viewvc:1.1.7:*:*:*:*:*:*:*",
"matchCriteriaId": "276B3475-7B55-48CC-8F34-0439AE5B8291",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:viewvc:viewvc:1.1.8:*:*:*:*:*:*:*",
"matchCriteriaId": "14320E94-C5AA-4E5B-8005-C38BD4F9989F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:viewvc:viewvc:1.1.9:*:*:*:*:*:*:*",
"matchCriteriaId": "110D1159-D604-443F-85F8-670570FF7679",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "ViewVC before 1.1.11 allows remote attackers to bypass the cvsdb row_limit configuration setting, and consequently conduct resource-consumption attacks, via the limit parameter, as demonstrated by a \"query revision history\" request."
},
{
"lang": "es",
"value": "ViewVC antes de v1.1.11 permite a atacantes remotos saltar la opci\u00f3n de configuraci\u00f3n de cvsdb que limita el n\u00famero de columnas, y por lo tanto realizar ataques de consumo de recursos, a trav\u00e9s del par\u00e1metro l\u00edmite,como se demuestra con una petici\u00f3n de \"consulta al historial de revisiones\""
}
],
"id": "CVE-2009-5024",
"lastModified": "2024-11-21T01:11:00.813",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 5.0,
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2011-05-23T22:55:01.100",
"references": [
{
"source": "secalert@redhat.com",
"url": "http://openwall.com/lists/oss-security/2011/05/19/1"
},
{
"source": "secalert@redhat.com",
"url": "http://openwall.com/lists/oss-security/2011/05/19/9"
},
{
"source": "secalert@redhat.com",
"url": "http://viewvc.tigris.org/issues/show_bug.cgi?id=433"
},
{
"source": "secalert@redhat.com",
"url": "http://viewvc.tigris.org/source/browse/%2Acheckout%2A/viewvc/tags/1.1.11/CHANGES"
},
{
"source": "secalert@redhat.com",
"url": "http://viewvc.tigris.org/source/browse/viewvc/trunk/lib/cvsdb.py?diff_format=u\u0026view=log#rev2547"
},
{
"source": "secalert@redhat.com",
"tags": [
"Patch"
],
"url": "http://viewvc.tigris.org/source/browse/viewvc/trunk/lib/viewvc.py?diff_format=u\u0026r1=2547\u0026r2=2546\u0026pathrev=2547"
},
{
"source": "secalert@redhat.com",
"url": "http://www.debian.org/security/2012/dsa-2563"
},
{
"source": "secalert@redhat.com",
"url": "http://www.securityfocus.com/bid/47928"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://openwall.com/lists/oss-security/2011/05/19/1"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://openwall.com/lists/oss-security/2011/05/19/9"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://viewvc.tigris.org/issues/show_bug.cgi?id=433"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://viewvc.tigris.org/source/browse/%2Acheckout%2A/viewvc/tags/1.1.11/CHANGES"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://viewvc.tigris.org/source/browse/viewvc/trunk/lib/cvsdb.py?diff_format=u\u0026view=log#rev2547"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "http://viewvc.tigris.org/source/browse/viewvc/trunk/lib/viewvc.py?diff_format=u\u0026r1=2547\u0026r2=2546\u0026pathrev=2547"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.debian.org/security/2012/dsa-2563"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securityfocus.com/bid/47928"
}
],
"sourceIdentifier": "secalert@redhat.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-399"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2010-03-31 18:00
Modified
2024-11-21 01:11
Severity ?
Summary
Cross-site scripting (XSS) vulnerability in ViewVC 1.1 before 1.1.5 and 1.0 before 1.0.11, when the regular expression search functionality is enabled, allows remote attackers to inject arbitrary web script or HTML via vectors related to "search_re input," a different vulnerability than CVE-2010-0736.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| viewvc | viewvc | 1.0.0 | |
| viewvc | viewvc | 1.0.1 | |
| viewvc | viewvc | 1.0.2 | |
| viewvc | viewvc | 1.0.3 | |
| viewvc | viewvc | 1.0.4 | |
| viewvc | viewvc | 1.0.5 | |
| viewvc | viewvc | 1.0.6 | |
| viewvc | viewvc | 1.0.7 | |
| viewvc | viewvc | 1.0.8 | |
| viewvc | viewvc | 1.0.9 | |
| viewvc | viewvc | 1.0.10 | |
| viewvc | viewvc | 1.1.0 | |
| viewvc | viewvc | 1.1.1 | |
| viewvc | viewvc | 1.1.2 | |
| viewvc | viewvc | 1.1.3 | |
| viewvc | viewvc | 1.1.4 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:viewvc:viewvc:1.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "59DBEDF6-248F-4850-B50C-61835DB89374",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:viewvc:viewvc:1.0.1:*:*:*:*:*:*:*",
"matchCriteriaId": "007977CF-1BF9-4713-AFDF-50DEE2530AD5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:viewvc:viewvc:1.0.2:*:*:*:*:*:*:*",
"matchCriteriaId": "793F6DB3-A6C2-4813-BD2D-AF34D85F6CCA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:viewvc:viewvc:1.0.3:*:*:*:*:*:*:*",
"matchCriteriaId": "1B6F2BC5-D099-427C-9513-75551ABF1997",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:viewvc:viewvc:1.0.4:*:*:*:*:*:*:*",
"matchCriteriaId": "4748AA05-D2ED-4365-83AE-74CD33592B5D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:viewvc:viewvc:1.0.5:*:*:*:*:*:*:*",
"matchCriteriaId": "91ADB624-1826-405C-BB1E-3D286ED03D5A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:viewvc:viewvc:1.0.6:*:*:*:*:*:*:*",
"matchCriteriaId": "A4AE31C7-1929-48A4-8A3A-860A110E4820",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:viewvc:viewvc:1.0.7:*:*:*:*:*:*:*",
"matchCriteriaId": "F71721BF-9010-4595-96F8-CF499B0FFE6D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:viewvc:viewvc:1.0.8:*:*:*:*:*:*:*",
"matchCriteriaId": "96AD0DD2-206B-4231-B09E-9B83F6E0239E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:viewvc:viewvc:1.0.9:*:*:*:*:*:*:*",
"matchCriteriaId": "2A7F4AAD-EB09-47F1-A7B7-5436E766A0C6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:viewvc:viewvc:1.0.10:*:*:*:*:*:*:*",
"matchCriteriaId": "E0D457A6-C530-42AC-9BCF-640A89D9BF5C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:viewvc:viewvc:1.1.0:*:*:*:*:*:*:*",
"matchCriteriaId": "8ECD4F7E-011C-4E92-9D8E-AC378B204C05",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:viewvc:viewvc:1.1.1:*:*:*:*:*:*:*",
"matchCriteriaId": "4FE78493-E4EB-4555-BA56-A29AFE680B56",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:viewvc:viewvc:1.1.2:*:*:*:*:*:*:*",
"matchCriteriaId": "C076220E-CFB1-44B0-9884-840F4C5B4F9A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:viewvc:viewvc:1.1.3:*:*:*:*:*:*:*",
"matchCriteriaId": "77350E39-A3A7-463E-BF70-D1BD99F7C23E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:viewvc:viewvc:1.1.4:*:*:*:*:*:*:*",
"matchCriteriaId": "AB57E24E-00A7-4099-8135-64B0E165FEBF",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting (XSS) vulnerability in ViewVC 1.1 before 1.1.5 and 1.0 before 1.0.11, when the regular expression search functionality is enabled, allows remote attackers to inject arbitrary web script or HTML via vectors related to \"search_re input,\" a different vulnerability than CVE-2010-0736."
},
{
"lang": "es",
"value": "Vulnerabilidad de secuencias de comandos en sitios cruzados (XSS) en ViewVC 1.1 en versiones anteriores a la 1.1.5 y 1.0 en versiones anteriores a la 1.0.11, cuando la funcionalidad de b\u00fasqueda con expresiones regulares est\u00e1 habilitada, permite a atacantes remotos inyectar secuencias de comandos web o HTML de su elecci\u00f3n mediante vectores relacionados con \"search_re input,\" una vulnerabilidad diferente a CVE-2010-0736."
}
],
"id": "CVE-2010-0132",
"lastModified": "2024-11-21T01:11:35.970",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "LOW",
"cvssData": {
"accessComplexity": "HIGH",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 2.6,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:H/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 4.9,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
]
},
"published": "2010-03-31T18:00:00.327",
"references": [
{
"source": "PSIRT-CNA@flexerasoftware.com",
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2010-April/038420.html"
},
{
"source": "PSIRT-CNA@flexerasoftware.com",
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2010-April/038456.html"
},
{
"source": "PSIRT-CNA@flexerasoftware.com",
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2010-April/038925.html"
},
{
"source": "PSIRT-CNA@flexerasoftware.com",
"url": "http://lists.opensuse.org/opensuse-security-announce/2010-04/msg00002.html"
},
{
"source": "PSIRT-CNA@flexerasoftware.com",
"tags": [
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/38918"
},
{
"source": "PSIRT-CNA@flexerasoftware.com",
"tags": [
"Vendor Advisory"
],
"url": "http://secunia.com/secunia_research/2010-26/"
},
{
"source": "PSIRT-CNA@flexerasoftware.com",
"url": "http://viewvc.tigris.org/source/browse/viewvc/trunk/CHANGES?r1=2342\u0026r2=2359\u0026pathrev=HEAD"
},
{
"source": "PSIRT-CNA@flexerasoftware.com",
"url": "http://www.securityfocus.com/archive/1/510408/100/0/threaded"
},
{
"source": "PSIRT-CNA@flexerasoftware.com",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "http://www.vupen.com/english/advisories/2010/0743"
},
{
"source": "PSIRT-CNA@flexerasoftware.com",
"url": "http://www.vupen.com/english/advisories/2010/0844"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2010-April/038420.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2010-April/038456.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2010-April/038925.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://lists.opensuse.org/opensuse-security-announce/2010-04/msg00002.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/38918"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://secunia.com/secunia_research/2010-26/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://viewvc.tigris.org/source/browse/viewvc/trunk/CHANGES?r1=2342\u0026r2=2359\u0026pathrev=HEAD"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securityfocus.com/archive/1/510408/100/0/threaded"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "http://www.vupen.com/english/advisories/2010/0743"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.vupen.com/english/advisories/2010/0844"
}
],
"sourceIdentifier": "PSIRT-CNA@flexerasoftware.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2006-10-21 00:07
Modified
2024-11-21 00:19
Severity ?
Summary
ViewVC 1.0.2 and earlier does not specify a charset in its HTTP headers or HTML documents, which allows remote attackers to conduct cross-site scripting (XSS) attacks that inject arbitrary UTF-7 encoded JavaScript code via a view.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:viewvc:viewvc:*:*:*:*:*:*:*:*",
"matchCriteriaId": "D9D23550-3CE0-4F00-A359-88B2893E9D1F",
"versionEndIncluding": "1.0.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "ViewVC 1.0.2 and earlier does not specify a charset in its HTTP headers or HTML documents, which allows remote attackers to conduct cross-site scripting (XSS) attacks that inject arbitrary UTF-7 encoded JavaScript code via a view."
},
{
"lang": "es",
"value": "ViewVC 1.0.2 y anteriores no especifica un charset en su cabecera HTTP o documentos HTML, lo cual permite a un atacante remoto llevar a cabo un ataque de secuencias de comandos en sitios cruzados que inyectan c\u00f3digo JavaScript UTF-7 de su elecci\u00f3n a a trav\u00e9s de una vista."
}
],
"id": "CVE-2006-5442",
"lastModified": "2024-11-21T00:19:15.503",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.8,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2006-10-21T00:07:00.000",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/22395"
},
{
"source": "cve@mitre.org",
"url": "http://securityreason.com/securityalert/1755"
},
{
"source": "cve@mitre.org",
"url": "http://viewvc.tigris.org/servlets/ReadMsg?list=announce\u0026msgNo=5\u0026raw=true"
},
{
"source": "cve@mitre.org",
"url": "http://viewvc.tigris.org/source/browse/viewvc/trunk/CHANGES?rev=HEAD"
},
{
"source": "cve@mitre.org",
"url": "http://www.hardened-php.net/advisory_102006.134.html"
},
{
"source": "cve@mitre.org",
"url": "http://www.securityfocus.com/archive/1/448762/100/0/threaded"
},
{
"source": "cve@mitre.org",
"url": "http://www.securityfocus.com/bid/20543"
},
{
"source": "cve@mitre.org",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/29576"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/22395"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://securityreason.com/securityalert/1755"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://viewvc.tigris.org/servlets/ReadMsg?list=announce\u0026msgNo=5\u0026raw=true"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://viewvc.tigris.org/source/browse/viewvc/trunk/CHANGES?rev=HEAD"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.hardened-php.net/advisory_102006.134.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securityfocus.com/archive/1/448762/100/0/threaded"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securityfocus.com/bid/20543"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/29576"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-Other"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2009-11-10 02:30
Modified
2024-11-21 01:07
Severity ?
Summary
Cross-site scripting (XSS) vulnerability in viewvc.py in ViewVC 1.0 before 1.0.9 and 1.1 before 1.1.2 allows remote attackers to inject arbitrary web script or HTML via the view parameter. NOTE: some of these details are obtained from third party information.
References
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:viewvc:viewvc:1.0.1:*:*:*:*:*:*:*",
"matchCriteriaId": "007977CF-1BF9-4713-AFDF-50DEE2530AD5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:viewvc:viewvc:1.0.2:*:*:*:*:*:*:*",
"matchCriteriaId": "793F6DB3-A6C2-4813-BD2D-AF34D85F6CCA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:viewvc:viewvc:1.0.3:*:*:*:*:*:*:*",
"matchCriteriaId": "1B6F2BC5-D099-427C-9513-75551ABF1997",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:viewvc:viewvc:1.0.4:*:*:*:*:*:*:*",
"matchCriteriaId": "4748AA05-D2ED-4365-83AE-74CD33592B5D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:viewvc:viewvc:1.0.5:*:*:*:*:*:*:*",
"matchCriteriaId": "91ADB624-1826-405C-BB1E-3D286ED03D5A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:viewvc:viewvc:1.0.6:*:*:*:*:*:*:*",
"matchCriteriaId": "A4AE31C7-1929-48A4-8A3A-860A110E4820",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:viewvc:viewvc:1.0.7:*:*:*:*:*:*:*",
"matchCriteriaId": "F71721BF-9010-4595-96F8-CF499B0FFE6D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:viewvc:viewvc:1.0.8:*:*:*:*:*:*:*",
"matchCriteriaId": "96AD0DD2-206B-4231-B09E-9B83F6E0239E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:viewvc:viewvc:1.1.0:*:*:*:*:*:*:*",
"matchCriteriaId": "8ECD4F7E-011C-4E92-9D8E-AC378B204C05",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:viewvc:viewvc:1.1.1:*:*:*:*:*:*:*",
"matchCriteriaId": "4FE78493-E4EB-4555-BA56-A29AFE680B56",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting (XSS) vulnerability in viewvc.py in ViewVC 1.0 before 1.0.9 and 1.1 before 1.1.2 allows remote attackers to inject arbitrary web script or HTML via the view parameter. NOTE: some of these details are obtained from third party information."
},
{
"lang": "es",
"value": "Vulnerabilidad de ejecuci\u00f3n de secuencias de comandos en sitios cruzados (XSS) en viewvc.py en ViewVC v1.0 anterior a v1.0.9 y v1.1 anterior a v1.1.2, permite a atacantes remotos inyectar secuencias de comandos web o HTML de su elecci\u00f3n a trav\u00e9s del par\u00e1metro \"view\". NOTA: algunos de estos detalles han sido obtenidos a partir de informaci\u00f3n de terceros."
}
],
"id": "CVE-2009-3618",
"lastModified": "2024-11-21T01:07:49.040",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
]
},
"published": "2009-11-10T02:30:00.217",
"references": [
{
"source": "secalert@redhat.com",
"url": "http://lists.opensuse.org/opensuse-security-announce/2009-10/msg00004.html"
},
{
"source": "secalert@redhat.com",
"url": "http://osvdb.org/56997"
},
{
"source": "secalert@redhat.com",
"tags": [
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/36292"
},
{
"source": "secalert@redhat.com",
"tags": [
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/36311"
},
{
"source": "secalert@redhat.com",
"url": "http://viewvc.tigris.org/source/browse/%2Acheckout%2A/viewvc/tags/1.1.2/CHANGES?revision=2235\u0026pathrev=HEAD"
},
{
"source": "secalert@redhat.com",
"url": "http://www.openwall.com/lists/oss-security/2009/10/16/10"
},
{
"source": "secalert@redhat.com",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "http://www.vupen.com/english/advisories/2009/2257"
},
{
"source": "secalert@redhat.com",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/52430"
},
{
"source": "secalert@redhat.com",
"url": "https://www.redhat.com/archives/fedora-package-announce/2009-August/msg00557.html"
},
{
"source": "secalert@redhat.com",
"url": "https://www.redhat.com/archives/fedora-package-announce/2009-August/msg00566.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://lists.opensuse.org/opensuse-security-announce/2009-10/msg00004.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://osvdb.org/56997"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/36292"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/36311"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://viewvc.tigris.org/source/browse/%2Acheckout%2A/viewvc/tags/1.1.2/CHANGES?revision=2235\u0026pathrev=HEAD"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.openwall.com/lists/oss-security/2009/10/16/10"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "http://www.vupen.com/english/advisories/2009/2257"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/52430"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://www.redhat.com/archives/fedora-package-announce/2009-August/msg00557.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://www.redhat.com/archives/fedora-package-announce/2009-August/msg00566.html"
}
],
"sourceIdentifier": "secalert@redhat.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2008-03-24 17:44
Modified
2024-11-21 00:44
Severity ?
Summary
ViewVC before 1.0.5 provides revision metadata without properly checking whether access was intended, which allows remote attackers to obtain sensitive information by reading (1) forbidden pathnames in the revision view, (2) log history that can only be reached by traversing a forbidden object, or (3) forbidden diff view path parameters.
References
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:gentoo:linux:*:*:*:*:*:*:*:*",
"matchCriteriaId": "647BA336-5538-4972-9271-383A0EC9378E",
"vulnerable": false
},
{
"criteria": "cpe:2.3:o:redhat:fedora:7:*:*:*:*:*:*:*",
"matchCriteriaId": "EE2027FA-357A-4BE3-9043-6DE8307C040A",
"vulnerable": false
},
{
"criteria": "cpe:2.3:o:redhat:fedora:8:*:*:*:*:*:*:*",
"matchCriteriaId": "C8E8256F-3FB6-45B2-8F03-02A61C10FAF0",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:viewvc:viewvc:1.0.2:*:*:*:*:*:*:*",
"matchCriteriaId": "793F6DB3-A6C2-4813-BD2D-AF34D85F6CCA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:viewvc:viewvc:1.0.3:*:*:*:*:*:*:*",
"matchCriteriaId": "1B6F2BC5-D099-427C-9513-75551ABF1997",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "ViewVC before 1.0.5 provides revision metadata without properly checking whether access was intended, which allows remote attackers to obtain sensitive information by reading (1) forbidden pathnames in the revision view, (2) log history that can only be reached by traversing a forbidden object, or (3) forbidden diff view path parameters."
},
{
"lang": "es",
"value": "ViewVC before 1.0.5 proporciona revisi\u00f3n de metadatos sin comprobar correctamente si el acceso fue intencionado, lo que permite a atacantes remotos obtener informaci\u00f3n sensible leyendo (1) rutas prohibidas en la vista de revisi\u00f3n, (2)el historial del log que s\u00f3lo se puede alcanzar saltando un objeto prohibido, o (3)par\u00e1metros de ruta de vista diff prohibidos."
}
],
"id": "CVE-2008-1292",
"lastModified": "2024-11-21T00:44:11.320",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2008-03-24T17:44:00.000",
"references": [
{
"source": "cve@mitre.org",
"url": "http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=471380"
},
{
"source": "cve@mitre.org",
"url": "http://bugs.gentoo.org/show_bug.cgi?id=212288"
},
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/29176"
},
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/29460"
},
{
"source": "cve@mitre.org",
"url": "http://security.gentoo.org/glsa/glsa-200803-29.xml"
},
{
"source": "cve@mitre.org",
"url": "http://viewvc.tigris.org/source/browse/viewvc/trunk/CHANGES?rev=HEAD"
},
{
"source": "cve@mitre.org",
"tags": [
"Patch"
],
"url": "http://www.securityfocus.com/bid/28055"
},
{
"source": "cve@mitre.org",
"url": "http://www.vupen.com/english/advisories/2008/0734/references"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=471380"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://bugs.gentoo.org/show_bug.cgi?id=212288"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/29176"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/29460"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://security.gentoo.org/glsa/glsa-200803-29.xml"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://viewvc.tigris.org/source/browse/viewvc/trunk/CHANGES?rev=HEAD"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "http://www.securityfocus.com/bid/28055"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.vupen.com/english/advisories/2008/0734/references"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-200"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2010-01-29 18:30
Modified
2024-11-21 01:11
Severity ?
Summary
ViewVC before 1.1.3 composes the root listing view without using the authorizer for each root, which might allow remote attackers to discover private root names by reading this view.
References
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:viewvc:viewvc:1.0.1:*:*:*:*:*:*:*",
"matchCriteriaId": "007977CF-1BF9-4713-AFDF-50DEE2530AD5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:viewvc:viewvc:1.0.2:*:*:*:*:*:*:*",
"matchCriteriaId": "793F6DB3-A6C2-4813-BD2D-AF34D85F6CCA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:viewvc:viewvc:1.0.3:*:*:*:*:*:*:*",
"matchCriteriaId": "1B6F2BC5-D099-427C-9513-75551ABF1997",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:viewvc:viewvc:1.0.4:*:*:*:*:*:*:*",
"matchCriteriaId": "4748AA05-D2ED-4365-83AE-74CD33592B5D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:viewvc:viewvc:1.0.5:*:*:*:*:*:*:*",
"matchCriteriaId": "91ADB624-1826-405C-BB1E-3D286ED03D5A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:viewvc:viewvc:1.0.6:*:*:*:*:*:*:*",
"matchCriteriaId": "A4AE31C7-1929-48A4-8A3A-860A110E4820",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:viewvc:viewvc:1.0.7:*:*:*:*:*:*:*",
"matchCriteriaId": "F71721BF-9010-4595-96F8-CF499B0FFE6D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:viewvc:viewvc:1.0.8:*:*:*:*:*:*:*",
"matchCriteriaId": "96AD0DD2-206B-4231-B09E-9B83F6E0239E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:viewvc:viewvc:1.1.0:*:*:*:*:*:*:*",
"matchCriteriaId": "8ECD4F7E-011C-4E92-9D8E-AC378B204C05",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:viewvc:viewvc:1.1.1:*:*:*:*:*:*:*",
"matchCriteriaId": "4FE78493-E4EB-4555-BA56-A29AFE680B56",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:viewvc:viewvc:1.1.2:*:*:*:*:*:*:*",
"matchCriteriaId": "C076220E-CFB1-44B0-9884-840F4C5B4F9A",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "ViewVC before 1.1.3 composes the root listing view without using the authorizer for each root, which might allow remote attackers to discover private root names by reading this view."
},
{
"lang": "es",
"value": "ViewVc anterior a v1.1.3, compone la vista del listado root sin emplear la autorizaci\u00f3n para cada root, lo que podr\u00eda permitir a atcantes remotos descubrir los nombres privados de root leyendo esta vista."
}
],
"id": "CVE-2010-0004",
"lastModified": "2024-11-21T01:11:18.567",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2010-01-29T18:30:00.997",
"references": [
{
"source": "secalert@redhat.com",
"url": "http://lists.opensuse.org/opensuse-security-announce/2010-01/msg00009.html"
},
{
"source": "secalert@redhat.com",
"url": "http://viewvc.tigris.org/source/browse/%2Acheckout%2A/viewvc/trunk/docs/release-notes/1.1.0.html?revision=2222"
},
{
"source": "secalert@redhat.com",
"url": "http://viewvc.tigris.org/source/browse/viewvc/trunk/CHANGES?r1=2242\u0026r2=2313\u0026pathrev=HEAD"
},
{
"source": "secalert@redhat.com",
"url": "http://viewvc.tigris.org/source/browse/viewvc?view=rev\u0026revision=2300"
},
{
"source": "secalert@redhat.com",
"url": "http://www.openwall.com/lists/oss-security/2010/01/11/2"
},
{
"source": "secalert@redhat.com",
"url": "http://www.openwall.com/lists/oss-security/2010/01/13/5"
},
{
"source": "secalert@redhat.com",
"url": "http://www.openwall.com/lists/oss-security/2010/01/14/4"
},
{
"source": "secalert@redhat.com",
"url": "https://www.redhat.com/archives/fedora-package-announce/2009-December/msg01421.html"
},
{
"source": "secalert@redhat.com",
"url": "https://www.redhat.com/archives/fedora-package-announce/2009-December/msg01464.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://lists.opensuse.org/opensuse-security-announce/2010-01/msg00009.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://viewvc.tigris.org/source/browse/%2Acheckout%2A/viewvc/trunk/docs/release-notes/1.1.0.html?revision=2222"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://viewvc.tigris.org/source/browse/viewvc/trunk/CHANGES?r1=2242\u0026r2=2313\u0026pathrev=HEAD"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://viewvc.tigris.org/source/browse/viewvc?view=rev\u0026revision=2300"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.openwall.com/lists/oss-security/2010/01/11/2"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.openwall.com/lists/oss-security/2010/01/13/5"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.openwall.com/lists/oss-security/2010/01/14/4"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://www.redhat.com/archives/fedora-package-announce/2009-December/msg01421.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://www.redhat.com/archives/fedora-package-announce/2009-December/msg01464.html"
}
],
"sourceIdentifier": "secalert@redhat.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-200"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2020-04-03 00:15
Modified
2024-11-21 05:33
Severity ?
3.1 (Low) - CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:N
3.5 (Low) - CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:N
3.5 (Low) - CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:N
Summary
ViewVC before versions 1.1.28 and 1.2.1 has a XSS vulnerability in CVS show_subdir_lastmod support. The impact of this vulnerability is mitigated by the need for an attacker to have commit privileges to a CVS repository exposed by an otherwise trusted ViewVC instance that also has the `show_subdir_lastmod` feature enabled. The attack vector involves files with unsafe names (names that, when embedded into an HTML stream, would cause the browser to run unwanted code), which themselves can be challenging to create. This vulnerability is patched in versions 1.2.1 and 1.1.28.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:viewvc:viewvc:*:*:*:*:*:*:*:*",
"matchCriteriaId": "317FCBFB-4761-4735-8367-4AE5D03AB998",
"versionEndExcluding": "1.1.28",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:viewvc:viewvc:*:*:*:*:*:*:*:*",
"matchCriteriaId": "0C4C4AE3-6765-4AD4-991F-EF3F0B3EF39E",
"versionEndExcluding": "1.2.1",
"versionStartIncluding": "1.2.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "ViewVC before versions 1.1.28 and 1.2.1 has a XSS vulnerability in CVS show_subdir_lastmod support. The impact of this vulnerability is mitigated by the need for an attacker to have commit privileges to a CVS repository exposed by an otherwise trusted ViewVC instance that also has the `show_subdir_lastmod` feature enabled. The attack vector involves files with unsafe names (names that, when embedded into an HTML stream, would cause the browser to run unwanted code), which themselves can be challenging to create. This vulnerability is patched in versions 1.2.1 and 1.1.28."
},
{
"lang": "es",
"value": "ViewVC versiones anteriores a 1.1.28 y 1.2.1, presenta una vulnerabilidad de tipo XSS en el soporte show_subdir_lastmod de CVS. El impacto de esta vulnerabilidad est\u00e1 mitigado mediante la necesidad de que un atacante tenga privilegios de commit en un repositorio CVS expuesto por una instancia de ViewVC confiable que tambi\u00e9n tenga la funcionalidad \"show_subdir_lastmod\" habilitada. El vector de ataque involucra archivos con nombres no seguros (nombres que, cuando se insertan en una secuencia de datos HTML, causar\u00edan que el navegador ejecute un c\u00f3digo no deseado), que pueden ser en si mismos dif\u00edciles de crear. Esta vulnerabilidad est\u00e1 parcheada en las versiones 1.2.1 y 1.1.28."
}
],
"id": "CVE-2020-5283",
"lastModified": "2024-11-21T05:33:49.887",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "LOW",
"cvssData": {
"accessComplexity": "HIGH",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 2.1,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:H/Au:S/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 3.9,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.1,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 0.5,
"impactScore": 2.5,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.5,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 0.9,
"impactScore": 2.5,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-04-03T00:15:11.943",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/viewvc/viewvc/commit/ad0f966e9a997b17d853a6972ea283d4dcd70fa8"
},
{
"source": "security-advisories@github.com",
"tags": [
"Exploit",
"Issue Tracking",
"Third Party Advisory"
],
"url": "https://github.com/viewvc/viewvc/issues/211"
},
{
"source": "security-advisories@github.com",
"tags": [
"Mitigation",
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/viewvc/viewvc/security/advisories/GHSA-xpxf-fvqv-7mfg"
},
{
"source": "security-advisories@github.com",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2Q2STF2MKT24HXZ3YZIU7CN6F6QM67I5/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/viewvc/viewvc/commit/ad0f966e9a997b17d853a6972ea283d4dcd70fa8"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Issue Tracking",
"Third Party Advisory"
],
"url": "https://github.com/viewvc/viewvc/issues/211"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mitigation",
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/viewvc/viewvc/security/advisories/GHSA-xpxf-fvqv-7mfg"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2Q2STF2MKT24HXZ3YZIU7CN6F6QM67I5/"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-80"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2010-03-19 19:30
Modified
2024-11-21 01:12
Severity ?
Summary
Cross-site scripting (XSS) vulnerability in the view_queryform function in lib/viewvc.py in ViewVC before 1.0.10, and 1.1.x before 1.1.4, allows remote attackers to inject arbitrary web script or HTML via "user-provided input."
References
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:viewvc:viewvc:*:*:*:*:*:*:*:*",
"matchCriteriaId": "F4FBC080-987D-4B07-983B-ADF1641A2090",
"versionEndIncluding": "1.0.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:viewvc:viewvc:1.0.1:*:*:*:*:*:*:*",
"matchCriteriaId": "007977CF-1BF9-4713-AFDF-50DEE2530AD5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:viewvc:viewvc:1.0.2:*:*:*:*:*:*:*",
"matchCriteriaId": "793F6DB3-A6C2-4813-BD2D-AF34D85F6CCA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:viewvc:viewvc:1.0.3:*:*:*:*:*:*:*",
"matchCriteriaId": "1B6F2BC5-D099-427C-9513-75551ABF1997",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:viewvc:viewvc:1.0.4:*:*:*:*:*:*:*",
"matchCriteriaId": "4748AA05-D2ED-4365-83AE-74CD33592B5D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:viewvc:viewvc:1.0.5:*:*:*:*:*:*:*",
"matchCriteriaId": "91ADB624-1826-405C-BB1E-3D286ED03D5A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:viewvc:viewvc:1.0.6:*:*:*:*:*:*:*",
"matchCriteriaId": "A4AE31C7-1929-48A4-8A3A-860A110E4820",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:viewvc:viewvc:1.0.7:*:*:*:*:*:*:*",
"matchCriteriaId": "F71721BF-9010-4595-96F8-CF499B0FFE6D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:viewvc:viewvc:1.0.8:*:*:*:*:*:*:*",
"matchCriteriaId": "96AD0DD2-206B-4231-B09E-9B83F6E0239E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:viewvc:viewvc:1.1.0:*:*:*:*:*:*:*",
"matchCriteriaId": "8ECD4F7E-011C-4E92-9D8E-AC378B204C05",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:viewvc:viewvc:1.1.1:*:*:*:*:*:*:*",
"matchCriteriaId": "4FE78493-E4EB-4555-BA56-A29AFE680B56",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:viewvc:viewvc:1.1.2:*:*:*:*:*:*:*",
"matchCriteriaId": "C076220E-CFB1-44B0-9884-840F4C5B4F9A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:viewvc:viewvc:1.1.3:*:*:*:*:*:*:*",
"matchCriteriaId": "77350E39-A3A7-463E-BF70-D1BD99F7C23E",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting (XSS) vulnerability in the view_queryform function in lib/viewvc.py in ViewVC before 1.0.10, and 1.1.x before 1.1.4, allows remote attackers to inject arbitrary web script or HTML via \"user-provided input.\""
},
{
"lang": "es",
"value": "Vulnerabilidad de secuencias de comandos en sitios cruzados (XSS) en la funci\u00f3n view_queryform en lib/viewvc.py en ViewVC anterior a v1.0.10, y v1.1.x anterior a v1.1.4, permite a atacantes remotos inyectar c\u00f3digo web o HTML de su elecci\u00f3n a trav\u00e9s de \"user-provided input.\""
}
],
"id": "CVE-2010-0736",
"lastModified": "2024-11-21T01:12:51.390",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
]
},
"published": "2010-03-19T19:30:00.610",
"references": [
{
"source": "secalert@redhat.com",
"url": "http://viewvc.tigris.org/source/browse/viewvc/trunk/CHANGES?r1=2313\u0026r2=2342\u0026pathrev=HEAD"
},
{
"source": "secalert@redhat.com",
"tags": [
"Patch"
],
"url": "http://viewvc.tigris.org/source/browse/viewvc?view=rev\u0026revision=2326"
},
{
"source": "secalert@redhat.com",
"tags": [
"Patch"
],
"url": "http://www.openwall.com/lists/oss-security/2010/03/10/8"
},
{
"source": "secalert@redhat.com",
"tags": [
"Patch"
],
"url": "http://www.openwall.com/lists/oss-security/2010/03/16/14"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://viewvc.tigris.org/source/browse/viewvc/trunk/CHANGES?r1=2313\u0026r2=2342\u0026pathrev=HEAD"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "http://viewvc.tigris.org/source/browse/viewvc?view=rev\u0026revision=2326"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "http://www.openwall.com/lists/oss-security/2010/03/10/8"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "http://www.openwall.com/lists/oss-security/2010/03/16/14"
}
],
"sourceIdentifier": "secalert@redhat.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2019-11-07 22:15
Modified
2024-11-21 00:38
Severity ?
Summary
viewvc 1.0.3 allows improper access control to files in a repository when using the "forbidden" configuration option.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=416696 | Exploit, Issue Tracking, Third Party Advisory | |
| cve@mitre.org | https://security-tracker.debian.org/tracker/CVE-2007-5743 | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=416696 | Exploit, Issue Tracking, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://security-tracker.debian.org/tracker/CVE-2007-5743 | Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| viewvc | viewvc | 1.0.3 | |
| debian | debian_linux | 8.0 | |
| debian | debian_linux | 9.0 | |
| debian | debian_linux | 10.0 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:viewvc:viewvc:1.0.3:*:*:*:*:*:*:*",
"matchCriteriaId": "1B6F2BC5-D099-427C-9513-75551ABF1997",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*",
"matchCriteriaId": "C11E6FB0-C8C0-4527-9AA0-CB9B316F8F43",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*",
"matchCriteriaId": "DEECE5FC-CACF-4496-A3E7-164736409252",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*",
"matchCriteriaId": "07B237A9-69A3-4A9C-9DA0-4E06BD37AE73",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "viewvc 1.0.3 allows improper access control to files in a repository when using the \"forbidden\" configuration option."
},
{
"lang": "es",
"value": "viewvc versi\u00f3n 1.0.3, permite un control de acceso inapropiado a los archivos en un repositorio cuando es usada la opci\u00f3n de configuraci\u00f3n \"forbidden\"."
}
],
"id": "CVE-2007-5743",
"lastModified": "2024-11-21T00:38:36.020",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2019-11-07T22:15:10.257",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Issue Tracking",
"Third Party Advisory"
],
"url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=416696"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
],
"url": "https://security-tracker.debian.org/tracker/CVE-2007-5743"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Issue Tracking",
"Third Party Advisory"
],
"url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=416696"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://security-tracker.debian.org/tracker/CVE-2007-5743"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-732"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2008-03-24 17:44
Modified
2024-11-21 00:44
Severity ?
Summary
ViewVC before 1.0.5 stores sensitive information under the web root with insufficient access control, which allows remote attackers to read files and list folders under the hidden CVSROOT folder.
References
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:gentoo:linux:*:*:*:*:*:*:*:*",
"matchCriteriaId": "647BA336-5538-4972-9271-383A0EC9378E",
"vulnerable": false
},
{
"criteria": "cpe:2.3:o:redhat:fedora:7:*:*:*:*:*:*:*",
"matchCriteriaId": "EE2027FA-357A-4BE3-9043-6DE8307C040A",
"vulnerable": false
},
{
"criteria": "cpe:2.3:o:redhat:fedora:8:*:*:*:*:*:*:*",
"matchCriteriaId": "C8E8256F-3FB6-45B2-8F03-02A61C10FAF0",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:viewvc:viewvc:1.0.2:*:*:*:*:*:*:*",
"matchCriteriaId": "793F6DB3-A6C2-4813-BD2D-AF34D85F6CCA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:viewvc:viewvc:1.0.3:*:*:*:*:*:*:*",
"matchCriteriaId": "1B6F2BC5-D099-427C-9513-75551ABF1997",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "ViewVC before 1.0.5 stores sensitive information under the web root with insufficient access control, which allows remote attackers to read files and list folders under the hidden CVSROOT folder."
},
{
"lang": "es",
"value": "ViewVC before 1.0.5 almacena informaci\u00f3n sensible bajo la ra\u00edz web con un control de acceso insuficiente, lo que permite a atacantes remotos leer archivos y listar carpetas bajo la carpeta oculta CVSROOT."
}
],
"id": "CVE-2008-1291",
"lastModified": "2024-11-21T00:44:11.170",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2008-03-24T17:44:00.000",
"references": [
{
"source": "cve@mitre.org",
"url": "http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=471380"
},
{
"source": "cve@mitre.org",
"url": "http://bugs.gentoo.org/show_bug.cgi?id=212288"
},
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/29176"
},
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/29460"
},
{
"source": "cve@mitre.org",
"url": "http://security.gentoo.org/glsa/glsa-200803-29.xml"
},
{
"source": "cve@mitre.org",
"url": "http://viewvc.tigris.org/source/browse/viewvc/trunk/CHANGES?rev=HEAD"
},
{
"source": "cve@mitre.org",
"tags": [
"Patch"
],
"url": "http://www.securityfocus.com/bid/28055"
},
{
"source": "cve@mitre.org",
"url": "http://www.vupen.com/english/advisories/2008/0734/references"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=471380"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://bugs.gentoo.org/show_bug.cgi?id=212288"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/29176"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/29460"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://security.gentoo.org/glsa/glsa-200803-29.xml"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://viewvc.tigris.org/source/browse/viewvc/trunk/CHANGES?rev=HEAD"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "http://www.securityfocus.com/bid/28055"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.vupen.com/english/advisories/2008/0734/references"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-200"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2012-07-22 16:55
Modified
2024-11-21 01:40
Severity ?
Summary
The SVN revision view (lib/vclib/svn/svn_repos.py) in ViewVC before 1.1.15 does not properly handle log messages when a readable path is copied from an unreadable path, which allows remote attackers to obtain sensitive information, related to a "log msg leak."
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| viewvc | viewvc | * | |
| viewvc | viewvc | 0.8 | |
| viewvc | viewvc | 0.9 | |
| viewvc | viewvc | 0.9.1 | |
| viewvc | viewvc | 0.9.2 | |
| viewvc | viewvc | 0.9.3 | |
| viewvc | viewvc | 0.9.4 | |
| viewvc | viewvc | 1.0.0 | |
| viewvc | viewvc | 1.0.1 | |
| viewvc | viewvc | 1.0.2 | |
| viewvc | viewvc | 1.0.3 | |
| viewvc | viewvc | 1.0.4 | |
| viewvc | viewvc | 1.0.5 | |
| viewvc | viewvc | 1.0.6 | |
| viewvc | viewvc | 1.0.7 | |
| viewvc | viewvc | 1.0.8 | |
| viewvc | viewvc | 1.0.9 | |
| viewvc | viewvc | 1.0.10 | |
| viewvc | viewvc | 1.0.11 | |
| viewvc | viewvc | 1.1.0 | |
| viewvc | viewvc | 1.1.1 | |
| viewvc | viewvc | 1.1.2 | |
| viewvc | viewvc | 1.1.3 | |
| viewvc | viewvc | 1.1.4 | |
| viewvc | viewvc | 1.1.5 | |
| viewvc | viewvc | 1.1.6 | |
| viewvc | viewvc | 1.1.7 | |
| viewvc | viewvc | 1.1.8 | |
| viewvc | viewvc | 1.1.9 | |
| viewvc | viewvc | 1.1.10 | |
| viewvc | viewvc | 1.1.11 | |
| viewvc | viewvc | 1.1.12 | |
| viewvc | viewvc | 1.1.13 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:viewvc:viewvc:*:*:*:*:*:*:*:*",
"matchCriteriaId": "E32A343E-869D-4BEB-AB65-094C1E548812",
"versionEndIncluding": "1.1.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:viewvc:viewvc:0.8:*:*:*:*:*:*:*",
"matchCriteriaId": "3DB85009-6655-4288-B06B-18074F69EF67",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:viewvc:viewvc:0.9:*:*:*:*:*:*:*",
"matchCriteriaId": "8344FE80-0BEF-4FE4-A87C-8A03CF83406B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:viewvc:viewvc:0.9.1:*:*:*:*:*:*:*",
"matchCriteriaId": "2C1671BC-6DF0-4FD3-991B-B342E1DA1EB7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:viewvc:viewvc:0.9.2:*:*:*:*:*:*:*",
"matchCriteriaId": "7D01FEFC-DE9B-4CBD-9F3E-C5F37A7FA70C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:viewvc:viewvc:0.9.3:*:*:*:*:*:*:*",
"matchCriteriaId": "67365FF3-29FE-40BD-8986-467AFCDD2210",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:viewvc:viewvc:0.9.4:*:*:*:*:*:*:*",
"matchCriteriaId": "90060F09-83C0-480F-AAF6-5006CD439E7B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:viewvc:viewvc:1.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "59DBEDF6-248F-4850-B50C-61835DB89374",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:viewvc:viewvc:1.0.1:*:*:*:*:*:*:*",
"matchCriteriaId": "007977CF-1BF9-4713-AFDF-50DEE2530AD5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:viewvc:viewvc:1.0.2:*:*:*:*:*:*:*",
"matchCriteriaId": "793F6DB3-A6C2-4813-BD2D-AF34D85F6CCA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:viewvc:viewvc:1.0.3:*:*:*:*:*:*:*",
"matchCriteriaId": "1B6F2BC5-D099-427C-9513-75551ABF1997",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:viewvc:viewvc:1.0.4:*:*:*:*:*:*:*",
"matchCriteriaId": "4748AA05-D2ED-4365-83AE-74CD33592B5D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:viewvc:viewvc:1.0.5:*:*:*:*:*:*:*",
"matchCriteriaId": "91ADB624-1826-405C-BB1E-3D286ED03D5A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:viewvc:viewvc:1.0.6:*:*:*:*:*:*:*",
"matchCriteriaId": "A4AE31C7-1929-48A4-8A3A-860A110E4820",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:viewvc:viewvc:1.0.7:*:*:*:*:*:*:*",
"matchCriteriaId": "F71721BF-9010-4595-96F8-CF499B0FFE6D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:viewvc:viewvc:1.0.8:*:*:*:*:*:*:*",
"matchCriteriaId": "96AD0DD2-206B-4231-B09E-9B83F6E0239E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:viewvc:viewvc:1.0.9:*:*:*:*:*:*:*",
"matchCriteriaId": "2A7F4AAD-EB09-47F1-A7B7-5436E766A0C6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:viewvc:viewvc:1.0.10:*:*:*:*:*:*:*",
"matchCriteriaId": "E0D457A6-C530-42AC-9BCF-640A89D9BF5C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:viewvc:viewvc:1.0.11:*:*:*:*:*:*:*",
"matchCriteriaId": "6AD3EFA7-5B31-453C-8319-8A943C149731",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:viewvc:viewvc:1.1.0:*:*:*:*:*:*:*",
"matchCriteriaId": "8ECD4F7E-011C-4E92-9D8E-AC378B204C05",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:viewvc:viewvc:1.1.1:*:*:*:*:*:*:*",
"matchCriteriaId": "4FE78493-E4EB-4555-BA56-A29AFE680B56",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:viewvc:viewvc:1.1.2:*:*:*:*:*:*:*",
"matchCriteriaId": "C076220E-CFB1-44B0-9884-840F4C5B4F9A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:viewvc:viewvc:1.1.3:*:*:*:*:*:*:*",
"matchCriteriaId": "77350E39-A3A7-463E-BF70-D1BD99F7C23E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:viewvc:viewvc:1.1.4:*:*:*:*:*:*:*",
"matchCriteriaId": "AB57E24E-00A7-4099-8135-64B0E165FEBF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:viewvc:viewvc:1.1.5:*:*:*:*:*:*:*",
"matchCriteriaId": "46A3CC38-5905-40B1-BD8B-EA378D8F5106",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:viewvc:viewvc:1.1.6:*:*:*:*:*:*:*",
"matchCriteriaId": "402EB3C0-3B69-4EF5-8342-1BCC411E8788",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:viewvc:viewvc:1.1.7:*:*:*:*:*:*:*",
"matchCriteriaId": "276B3475-7B55-48CC-8F34-0439AE5B8291",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:viewvc:viewvc:1.1.8:*:*:*:*:*:*:*",
"matchCriteriaId": "14320E94-C5AA-4E5B-8005-C38BD4F9989F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:viewvc:viewvc:1.1.9:*:*:*:*:*:*:*",
"matchCriteriaId": "110D1159-D604-443F-85F8-670570FF7679",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:viewvc:viewvc:1.1.10:*:*:*:*:*:*:*",
"matchCriteriaId": "7419BB99-B279-44B7-A41F-765805695DF7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:viewvc:viewvc:1.1.11:*:*:*:*:*:*:*",
"matchCriteriaId": "D5D05FE1-6EA9-4C71-8F4E-8507C5F87952",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:viewvc:viewvc:1.1.12:*:*:*:*:*:*:*",
"matchCriteriaId": "38AA489B-4287-48D9-B771-C066E41A7B52",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:viewvc:viewvc:1.1.13:*:*:*:*:*:*:*",
"matchCriteriaId": "B8E798B8-B3E0-4359-BEFE-777F71AB4ECB",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The SVN revision view (lib/vclib/svn/svn_repos.py) in ViewVC before 1.1.15 does not properly handle log messages when a readable path is copied from an unreadable path, which allows remote attackers to obtain sensitive information, related to a \"log msg leak.\""
},
{
"lang": "es",
"value": "La revisi\u00f3n de la vista SVN (lib/vclib/svn/svn_repos.py) en ViewVC anterior a 1.1.15 no controla correctamente los mensajes de registro cuando se copia un camino legible de una ruta ilegible, lo que permite a atacantes remotos obtener informaci\u00f3n sensible, relacionada con un \"log msg leak\"."
}
],
"id": "CVE-2012-3357",
"lastModified": "2024-11-21T01:40:41.910",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2012-07-22T16:55:39.603",
"references": [
{
"source": "secalert@redhat.com",
"url": "http://osvdb.org/83227"
},
{
"source": "secalert@redhat.com",
"url": "http://viewvc.tigris.org/source/browse/viewvc?view=rev\u0026revision=2758"
},
{
"source": "secalert@redhat.com",
"url": "http://www.debian.org/security/2012/dsa-2563"
},
{
"source": "secalert@redhat.com",
"url": "http://www.mandriva.com/security/advisories?name=MDVSA-2013:134"
},
{
"source": "secalert@redhat.com",
"url": "http://www.openwall.com/lists/oss-security/2012/06/25/8"
},
{
"source": "secalert@redhat.com",
"url": "http://www.securityfocus.com/bid/54199"
},
{
"source": "secalert@redhat.com",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/76615"
},
{
"source": "secalert@redhat.com",
"url": "https://lwn.net/Articles/505096/"
},
{
"source": "secalert@redhat.com",
"url": "https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-0175"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://osvdb.org/83227"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://viewvc.tigris.org/source/browse/viewvc?view=rev\u0026revision=2758"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.debian.org/security/2012/dsa-2563"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.mandriva.com/security/advisories?name=MDVSA-2013:134"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.openwall.com/lists/oss-security/2012/06/25/8"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securityfocus.com/bid/54199"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/76615"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lwn.net/Articles/505096/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-0175"
}
],
"sourceIdentifier": "secalert@redhat.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-200"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2023-01-04 16:15
Modified
2024-11-21 07:44
Severity ?
5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Summary
ViewVC is a browser interface for CVS and Subversion version control repositories. Versions prior to 1.2.3 and 1.1.30 are vulnerable to cross-site scripting. The impact of this vulnerability is mitigated by the need for an attacker to have commit privileges to a Subversion repository exposed by an otherwise trusted ViewVC instance. The attack vector involves files with unsafe names (names that, when embedded into an HTML stream, would cause the browser to run unwanted code), which themselves can be challenging to create. Users should update to at least version 1.2.3 (if they are using a 1.2.x version of ViewVC) or 1.1.30 (if they are using a 1.1.x version).
ViewVC 1.0.x is no longer supported, so users of that release lineage should implement one of the following workarounds. Users can edit their ViewVC EZT view templates to manually HTML-escape changed path "copyfrom paths" during rendering. Locate in your template set's `revision.ezt` file references to those changed paths, and wrap them with `[format "html"]` and `[end]`. For most users, that means that references to `[changes.copy_path]` will become `[format "html"][changes.copy_path][end]`. (This workaround should be reverted after upgrading to a patched version of ViewVC, else "copyfrom path" names will be doubly escaped.)
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:viewvc:viewvc:*:*:*:*:*:*:*:*",
"matchCriteriaId": "FC8C4A66-8160-4D22-B5D3-F7E59305B977",
"versionEndExcluding": "1.1.30",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:viewvc:viewvc:*:*:*:*:*:*:*:*",
"matchCriteriaId": "DF380062-387A-470F-9E82-B9323FF0E737",
"versionEndExcluding": "1.2.3",
"versionStartIncluding": "1.2.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "ViewVC is a browser interface for CVS and Subversion version control repositories. Versions prior to 1.2.3 and 1.1.30 are vulnerable to cross-site scripting. The impact of this vulnerability is mitigated by the need for an attacker to have commit privileges to a Subversion repository exposed by an otherwise trusted ViewVC instance. The attack vector involves files with unsafe names (names that, when embedded into an HTML stream, would cause the browser to run unwanted code), which themselves can be challenging to create. Users should update to at least version 1.2.3 (if they are using a 1.2.x version of ViewVC) or 1.1.30 (if they are using a 1.1.x version).\n\nViewVC 1.0.x is no longer supported, so users of that release lineage should implement one of the following workarounds. Users can edit their ViewVC EZT view templates to manually HTML-escape changed path \"copyfrom paths\" during rendering. Locate in your template set\u0027s `revision.ezt` file references to those changed paths, and wrap them with `[format \"html\"]` and `[end]`. For most users, that means that references to `[changes.copy_path]` will become `[format \"html\"][changes.copy_path][end]`. (This workaround should be reverted after upgrading to a patched version of ViewVC, else \"copyfrom path\" names will be doubly escaped.)\n"
},
{
"lang": "es",
"value": "ViewVC es una interfaz de navegador para repositorios de control de versiones CVS y Subversion. Las versiones anteriores a 1.2.3 y 1.1.30 son vulnerables a cross-site scripting. El impacto de esta vulnerabilidad se ve mitigado por la necesidad de que un atacante tenga privilegios de confirmaci\u00f3n en un repositorio de Subversion expuesto por una instancia de ViewVC que de otro modo ser\u00eda confiable. El vector de ataque involucra archivos con nombres no seguros (nombres que, cuando se incrustan en una secuencia HTML, har\u00edan que el navegador ejecute c\u00f3digo no deseado), que a su vez pueden ser dif\u00edciles de crear. Los usuarios deben actualizar al menos a la versi\u00f3n 1.2.3 (si usan una versi\u00f3n 1.2.x de ViewVC) o 1.1.30 (si usan una versi\u00f3n 1.1.x). ViewVC 1.0.x ya no es compatible, por lo que los usuarios de ese linaje de versiones deben implementar una de las siguientes soluciones. Los usuarios pueden editar sus plantillas de vista ViewVC EZT para escapar manualmente de la ruta cambiada en HTML \"copiar desde rutas\" durante el renderizado. Ubique en el archivo `revision.ezt` de su conjunto de plantillas las referencias a esas rutas modificadas y envu\u00e9lvalas con `[formato \"html\"]` y `[end]`. Para la mayor\u00eda de los usuarios, eso significa que las referencias a `[changes.copy_path]` se convertir\u00e1n en `[format \"html\"][changes.copy_path][end]`. (Este workaround debe revertirse despu\u00e9s de actualizar a una versi\u00f3n parcheada de ViewVC; de lo contrario, los nombres de \"ruta de copia\" aparecer\u00e1n doblemente como escape)."
}
],
"id": "CVE-2023-22464",
"lastModified": "2024-11-21T07:44:51.427",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.3,
"impactScore": 2.7,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.3,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2023-01-04T16:15:09.237",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Exploit",
"Issue Tracking",
"Mitigation",
"Third Party Advisory"
],
"url": "https://github.com/viewvc/viewvc/issues/311"
},
{
"source": "security-advisories@github.com",
"tags": [
"Release Notes",
"Third Party Advisory"
],
"url": "https://github.com/viewvc/viewvc/releases/tag/1.1.30"
},
{
"source": "security-advisories@github.com",
"tags": [
"Release Notes",
"Third Party Advisory"
],
"url": "https://github.com/viewvc/viewvc/releases/tag/1.2.3"
},
{
"source": "security-advisories@github.com",
"tags": [
"Mitigation",
"Third Party Advisory"
],
"url": "https://github.com/viewvc/viewvc/security/advisories/GHSA-jvpj-293q-q53h"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Issue Tracking",
"Mitigation",
"Third Party Advisory"
],
"url": "https://github.com/viewvc/viewvc/issues/311"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes",
"Third Party Advisory"
],
"url": "https://github.com/viewvc/viewvc/releases/tag/1.1.30"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes",
"Third Party Advisory"
],
"url": "https://github.com/viewvc/viewvc/releases/tag/1.2.3"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mitigation",
"Third Party Advisory"
],
"url": "https://github.com/viewvc/viewvc/security/advisories/GHSA-jvpj-293q-q53h"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
},
{
"lang": "en",
"value": "CWE-80"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2023-01-03 19:15
Modified
2024-11-21 07:44
Severity ?
6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Summary
ViewVC, a browser interface for CVS and Subversion version control repositories, as a cross-site scripting vulnerability that affects versions prior to 1.2.2 and 1.1.29. The impact of this vulnerability is mitigated by the need for an attacker to have commit privileges to a Subversion repository exposed by an otherwise trusted ViewVC instance. The attack vector involves files with unsafe names (names that, when embedded into an HTML stream, would cause the browser to run unwanted code), which themselves can be challenging to create. Users should update to at least version 1.2.2 (if they are using a 1.2.x version of ViewVC) or 1.1.29 (if they are using a 1.1.x version).
ViewVC 1.0.x is no longer supported, so users of that release lineage should implement a workaround. Users can edit their ViewVC EZT view templates to manually HTML-escape changed paths during rendering. Locate in your template set's `revision.ezt` file references to those changed paths, and wrap them with `[format "html"]` and `[end]`. For most users, that means that references to `[changes.path]` will become `[format "html"][changes.path][end]`. (This workaround should be reverted after upgrading to a patched version of ViewVC, else changed path names will be doubly escaped.)
References
| ▼ | URL | Tags | |
|---|---|---|---|
| security-advisories@github.com | https://github.com/viewvc/viewvc/issues/311 | Issue Tracking, Third Party Advisory | |
| security-advisories@github.com | https://github.com/viewvc/viewvc/releases/tag/1.1.29 | Patch, Third Party Advisory | |
| security-advisories@github.com | https://github.com/viewvc/viewvc/releases/tag/1.2.2 | Patch, Third Party Advisory | |
| security-advisories@github.com | https://github.com/viewvc/viewvc/security/advisories/GHSA-j4mx-f97j-gc5g | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/viewvc/viewvc/issues/311 | Issue Tracking, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/viewvc/viewvc/releases/tag/1.1.29 | Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/viewvc/viewvc/releases/tag/1.2.2 | Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/viewvc/viewvc/security/advisories/GHSA-j4mx-f97j-gc5g | Third Party Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:viewvc:viewvc:*:*:*:*:*:*:*:*",
"matchCriteriaId": "EB51E00C-7F8B-426A-80EF-C57BDE6DE88F",
"versionEndExcluding": "1.1.29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:viewvc:viewvc:*:*:*:*:*:*:*:*",
"matchCriteriaId": "227BB175-E196-488C-9E25-3F39111283E9",
"versionEndExcluding": "1.2.2",
"versionStartIncluding": "1.2.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "ViewVC, a browser interface for CVS and Subversion version control repositories, as a cross-site scripting vulnerability that affects versions prior to 1.2.2 and 1.1.29. The impact of this vulnerability is mitigated by the need for an attacker to have commit privileges to a Subversion repository exposed by an otherwise trusted ViewVC instance. The attack vector involves files with unsafe names (names that, when embedded into an HTML stream, would cause the browser to run unwanted code), which themselves can be challenging to create. Users should update to at least version 1.2.2 (if they are using a 1.2.x version of ViewVC) or 1.1.29 (if they are using a 1.1.x version).\n\nViewVC 1.0.x is no longer supported, so users of that release lineage should implement a workaround. Users can edit their ViewVC EZT view templates to manually HTML-escape changed paths during rendering. Locate in your template set\u0027s `revision.ezt` file references to those changed paths, and wrap them with `[format \"html\"]` and `[end]`. For most users, that means that references to `[changes.path]` will become `[format \"html\"][changes.path][end]`. (This workaround should be reverted after upgrading to a patched version of ViewVC, else changed path names will be doubly escaped.)"
},
{
"lang": "es",
"value": "ViewVC, una interfaz de navegador para repositorios de control de versiones de CVS y Subversion, es una vulnerabilidad de cross-site scripting que afecta a versiones anteriores a 1.2.2 y 1.1.29. El impacto de esta vulnerabilidad se ve mitigado por la necesidad de que un atacante tenga privilegios de confirmaci\u00f3n en un repositorio de Subversion expuesto por una instancia de ViewVC que, de otro modo, ser\u00eda de confianza. El vector de ataque implica archivos con nombres no seguros (nombres que, al incrustarse en una secuencia HTML, har\u00edan que el navegador ejecutara c\u00f3digo no deseado), que pueden ser dif\u00edciles de crear. Los usuarios deben actualizar al menos a la versi\u00f3n 1.2.2 (si est\u00e1n usando una versi\u00f3n 1.2.x de ViewVC) o 1.1.29 (si est\u00e1n usando una versi\u00f3n 1.1.x). ViewVC 1.0.x ya no es compatible, por lo que los usuarios de esa l\u00ednea de versiones deben implementar un workaround. Los usuarios pueden editar sus plantillas de vista EZT de ViewVC para escapar manualmente mediante HTML las rutas modificadas durante la representaci\u00f3n. Localice en el archivo `revision.ezt` de su conjunto de plantillas las referencias a esas rutas modificadas y enci\u00e9rrelas con `[format \"html\"]` y `[end]`. Para la mayor\u00eda de los usuarios, eso significa que las referencias a `[changes.path]` se convertir\u00e1n en `[format \"html\"][changes.path][end]`. (Este workaround se debe revertir despu\u00e9s de actualizar a una versi\u00f3n parcheada de ViewVC, de lo contrario, los nombres de las rutas modificadas se escapar\u00e1n dos veces)."
}
],
"id": "CVE-2023-22456",
"lastModified": "2024-11-21T07:44:50.567",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2023-01-03T19:15:10.483",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Issue Tracking",
"Third Party Advisory"
],
"url": "https://github.com/viewvc/viewvc/issues/311"
},
{
"source": "security-advisories@github.com",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/viewvc/viewvc/releases/tag/1.1.29"
},
{
"source": "security-advisories@github.com",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/viewvc/viewvc/releases/tag/1.2.2"
},
{
"source": "security-advisories@github.com",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/viewvc/viewvc/security/advisories/GHSA-j4mx-f97j-gc5g"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Third Party Advisory"
],
"url": "https://github.com/viewvc/viewvc/issues/311"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/viewvc/viewvc/releases/tag/1.1.29"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/viewvc/viewvc/releases/tag/1.2.2"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/viewvc/viewvc/security/advisories/GHSA-j4mx-f97j-gc5g"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "security-advisories@github.com",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2008-03-24 17:44
Modified
2024-11-21 00:44
Severity ?
Summary
ViewVC before 1.0.5 includes "all-forbidden" files within search results that list CVS or Subversion (SVN) commits, which allows remote attackers to obtain sensitive information.
References
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:gentoo:linux:*:*:*:*:*:*:*:*",
"matchCriteriaId": "647BA336-5538-4972-9271-383A0EC9378E",
"vulnerable": false
},
{
"criteria": "cpe:2.3:o:redhat:fedora:7:*:*:*:*:*:*:*",
"matchCriteriaId": "EE2027FA-357A-4BE3-9043-6DE8307C040A",
"vulnerable": false
},
{
"criteria": "cpe:2.3:o:redhat:fedora:8:*:*:*:*:*:*:*",
"matchCriteriaId": "C8E8256F-3FB6-45B2-8F03-02A61C10FAF0",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:viewvc:viewvc:1.0.2:*:*:*:*:*:*:*",
"matchCriteriaId": "793F6DB3-A6C2-4813-BD2D-AF34D85F6CCA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:viewvc:viewvc:1.0.3:*:*:*:*:*:*:*",
"matchCriteriaId": "1B6F2BC5-D099-427C-9513-75551ABF1997",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "ViewVC before 1.0.5 includes \"all-forbidden\" files within search results that list CVS or Subversion (SVN) commits, which allows remote attackers to obtain sensitive information."
},
{
"lang": "es",
"value": "ViewVC antes de 1.0.5 incluye archivos \"all-forbidden\" (todo prohibido) dentro de resultados de b\u00fasqueda que listan asignaciones CVS o Subversion (SVN), lo que permite a atacantes remotos obtener informaci\u00f3n sensible."
}
],
"id": "CVE-2008-1290",
"lastModified": "2024-11-21T00:44:11.017",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2008-03-24T17:44:00.000",
"references": [
{
"source": "cve@mitre.org",
"url": "http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=471380"
},
{
"source": "cve@mitre.org",
"url": "http://bugs.gentoo.org/show_bug.cgi?id=212288"
},
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/29176"
},
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/29460"
},
{
"source": "cve@mitre.org",
"url": "http://security.gentoo.org/glsa/glsa-200803-29.xml"
},
{
"source": "cve@mitre.org",
"url": "http://viewvc.tigris.org/source/browse/viewvc/trunk/CHANGES?rev=HEAD"
},
{
"source": "cve@mitre.org",
"tags": [
"Patch"
],
"url": "http://www.securityfocus.com/bid/28055"
},
{
"source": "cve@mitre.org",
"url": "http://www.vupen.com/english/advisories/2008/0734/references"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=471380"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://bugs.gentoo.org/show_bug.cgi?id=212288"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/29176"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/29460"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://security.gentoo.org/glsa/glsa-200803-29.xml"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://viewvc.tigris.org/source/browse/viewvc/trunk/CHANGES?rev=HEAD"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "http://www.securityfocus.com/bid/28055"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.vupen.com/english/advisories/2008/0734/references"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-200"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}