Search criteria
63 vulnerabilities found for viewvc by viewvc
FKIE_CVE-2025-54141
Vulnerability from fkie_nvd - Published: 2025-07-22 22:15 - Updated: 2025-08-05 17:17
Severity ?
Summary
ViewVC is a browser interface for CVS and Subversion version control repositories. In versions 1.1.0 through 1.1.31 and 1.2.0 through 1.2.3, the standalone.py script provided in the ViewVC distribution can expose the contents of the host server's filesystem though a directory traversal-style attack. This is fixed in versions 1.1.31 and 1.2.4.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:viewvc:viewvc:*:*:*:*:*:*:*:*",
"matchCriteriaId": "8A68A5A4-DB0E-48E2-8036-51468875A48B",
"versionEndExcluding": "1.1.31",
"versionStartIncluding": "1.1.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:viewvc:viewvc:*:*:*:*:*:*:*:*",
"matchCriteriaId": "66230621-C765-45EE-94C9-67597CC2B40C",
"versionEndExcluding": "1.2.4",
"versionStartIncluding": "1.2.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "ViewVC is a browser interface for CVS and Subversion version control repositories. In versions 1.1.0 through 1.1.31 and 1.2.0 through 1.2.3, the standalone.py script provided in the ViewVC distribution can expose the contents of the host server\u0027s filesystem though a directory traversal-style attack. This is fixed in versions 1.1.31 and 1.2.4."
},
{
"lang": "es",
"value": "ViewVC es una interfaz de navegador para repositorios de control de versiones de CVS y Subversion. En las versiones 1.1.0 a 1.1.31 y 1.2.0 a 1.2.3, el script standalone.py incluido en la distribuci\u00f3n de ViewVC puede exponer el contenido del sistema de archivos del servidor host mediante un ataque de directory traversal. Esto se ha corregido en las versiones 1.1.31 y 1.2.4."
}
],
"id": "CVE-2025-54141",
"lastModified": "2025-08-05T17:17:58.910",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
},
"published": "2025-07-22T22:15:38.537",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/viewvc/viewvc/commit/1dd84542c39b39e4a3f434db84a8ba3441d6a1e7"
},
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/viewvc/viewvc/commit/5d7c76be07b77dce4ff631e9b866056344f11e84"
},
{
"source": "security-advisories@github.com",
"tags": [
"Exploit",
"Issue Tracking"
],
"url": "https://github.com/viewvc/viewvc/issues/211"
},
{
"source": "security-advisories@github.com",
"tags": [
"Vendor Advisory"
],
"url": "https://github.com/viewvc/viewvc/security/advisories/GHSA-rv3m-76rj-q397"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-22"
},
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "security-advisories@github.com",
"type": "Primary"
}
]
}
FKIE_CVE-2023-22464
Vulnerability from fkie_nvd - Published: 2023-01-04 16:15 - Updated: 2024-11-21 07:44
Severity ?
5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Summary
ViewVC is a browser interface for CVS and Subversion version control repositories. Versions prior to 1.2.3 and 1.1.30 are vulnerable to cross-site scripting. The impact of this vulnerability is mitigated by the need for an attacker to have commit privileges to a Subversion repository exposed by an otherwise trusted ViewVC instance. The attack vector involves files with unsafe names (names that, when embedded into an HTML stream, would cause the browser to run unwanted code), which themselves can be challenging to create. Users should update to at least version 1.2.3 (if they are using a 1.2.x version of ViewVC) or 1.1.30 (if they are using a 1.1.x version).
ViewVC 1.0.x is no longer supported, so users of that release lineage should implement one of the following workarounds. Users can edit their ViewVC EZT view templates to manually HTML-escape changed path "copyfrom paths" during rendering. Locate in your template set's `revision.ezt` file references to those changed paths, and wrap them with `[format "html"]` and `[end]`. For most users, that means that references to `[changes.copy_path]` will become `[format "html"][changes.copy_path][end]`. (This workaround should be reverted after upgrading to a patched version of ViewVC, else "copyfrom path" names will be doubly escaped.)
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:viewvc:viewvc:*:*:*:*:*:*:*:*",
"matchCriteriaId": "FC8C4A66-8160-4D22-B5D3-F7E59305B977",
"versionEndExcluding": "1.1.30",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:viewvc:viewvc:*:*:*:*:*:*:*:*",
"matchCriteriaId": "DF380062-387A-470F-9E82-B9323FF0E737",
"versionEndExcluding": "1.2.3",
"versionStartIncluding": "1.2.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "ViewVC is a browser interface for CVS and Subversion version control repositories. Versions prior to 1.2.3 and 1.1.30 are vulnerable to cross-site scripting. The impact of this vulnerability is mitigated by the need for an attacker to have commit privileges to a Subversion repository exposed by an otherwise trusted ViewVC instance. The attack vector involves files with unsafe names (names that, when embedded into an HTML stream, would cause the browser to run unwanted code), which themselves can be challenging to create. Users should update to at least version 1.2.3 (if they are using a 1.2.x version of ViewVC) or 1.1.30 (if they are using a 1.1.x version).\n\nViewVC 1.0.x is no longer supported, so users of that release lineage should implement one of the following workarounds. Users can edit their ViewVC EZT view templates to manually HTML-escape changed path \"copyfrom paths\" during rendering. Locate in your template set\u0027s `revision.ezt` file references to those changed paths, and wrap them with `[format \"html\"]` and `[end]`. For most users, that means that references to `[changes.copy_path]` will become `[format \"html\"][changes.copy_path][end]`. (This workaround should be reverted after upgrading to a patched version of ViewVC, else \"copyfrom path\" names will be doubly escaped.)\n"
},
{
"lang": "es",
"value": "ViewVC es una interfaz de navegador para repositorios de control de versiones CVS y Subversion. Las versiones anteriores a 1.2.3 y 1.1.30 son vulnerables a cross-site scripting. El impacto de esta vulnerabilidad se ve mitigado por la necesidad de que un atacante tenga privilegios de confirmaci\u00f3n en un repositorio de Subversion expuesto por una instancia de ViewVC que de otro modo ser\u00eda confiable. El vector de ataque involucra archivos con nombres no seguros (nombres que, cuando se incrustan en una secuencia HTML, har\u00edan que el navegador ejecute c\u00f3digo no deseado), que a su vez pueden ser dif\u00edciles de crear. Los usuarios deben actualizar al menos a la versi\u00f3n 1.2.3 (si usan una versi\u00f3n 1.2.x de ViewVC) o 1.1.30 (si usan una versi\u00f3n 1.1.x). ViewVC 1.0.x ya no es compatible, por lo que los usuarios de ese linaje de versiones deben implementar una de las siguientes soluciones. Los usuarios pueden editar sus plantillas de vista ViewVC EZT para escapar manualmente de la ruta cambiada en HTML \"copiar desde rutas\" durante el renderizado. Ubique en el archivo `revision.ezt` de su conjunto de plantillas las referencias a esas rutas modificadas y envu\u00e9lvalas con `[formato \"html\"]` y `[end]`. Para la mayor\u00eda de los usuarios, eso significa que las referencias a `[changes.copy_path]` se convertir\u00e1n en `[format \"html\"][changes.copy_path][end]`. (Este workaround debe revertirse despu\u00e9s de actualizar a una versi\u00f3n parcheada de ViewVC; de lo contrario, los nombres de \"ruta de copia\" aparecer\u00e1n doblemente como escape)."
}
],
"id": "CVE-2023-22464",
"lastModified": "2024-11-21T07:44:51.427",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.3,
"impactScore": 2.7,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.3,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2023-01-04T16:15:09.237",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Exploit",
"Issue Tracking",
"Mitigation",
"Third Party Advisory"
],
"url": "https://github.com/viewvc/viewvc/issues/311"
},
{
"source": "security-advisories@github.com",
"tags": [
"Release Notes",
"Third Party Advisory"
],
"url": "https://github.com/viewvc/viewvc/releases/tag/1.1.30"
},
{
"source": "security-advisories@github.com",
"tags": [
"Release Notes",
"Third Party Advisory"
],
"url": "https://github.com/viewvc/viewvc/releases/tag/1.2.3"
},
{
"source": "security-advisories@github.com",
"tags": [
"Mitigation",
"Third Party Advisory"
],
"url": "https://github.com/viewvc/viewvc/security/advisories/GHSA-jvpj-293q-q53h"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Issue Tracking",
"Mitigation",
"Third Party Advisory"
],
"url": "https://github.com/viewvc/viewvc/issues/311"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes",
"Third Party Advisory"
],
"url": "https://github.com/viewvc/viewvc/releases/tag/1.1.30"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes",
"Third Party Advisory"
],
"url": "https://github.com/viewvc/viewvc/releases/tag/1.2.3"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mitigation",
"Third Party Advisory"
],
"url": "https://github.com/viewvc/viewvc/security/advisories/GHSA-jvpj-293q-q53h"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
},
{
"lang": "en",
"value": "CWE-80"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2023-22456
Vulnerability from fkie_nvd - Published: 2023-01-03 19:15 - Updated: 2024-11-21 07:44
Severity ?
6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Summary
ViewVC, a browser interface for CVS and Subversion version control repositories, as a cross-site scripting vulnerability that affects versions prior to 1.2.2 and 1.1.29. The impact of this vulnerability is mitigated by the need for an attacker to have commit privileges to a Subversion repository exposed by an otherwise trusted ViewVC instance. The attack vector involves files with unsafe names (names that, when embedded into an HTML stream, would cause the browser to run unwanted code), which themselves can be challenging to create. Users should update to at least version 1.2.2 (if they are using a 1.2.x version of ViewVC) or 1.1.29 (if they are using a 1.1.x version).
ViewVC 1.0.x is no longer supported, so users of that release lineage should implement a workaround. Users can edit their ViewVC EZT view templates to manually HTML-escape changed paths during rendering. Locate in your template set's `revision.ezt` file references to those changed paths, and wrap them with `[format "html"]` and `[end]`. For most users, that means that references to `[changes.path]` will become `[format "html"][changes.path][end]`. (This workaround should be reverted after upgrading to a patched version of ViewVC, else changed path names will be doubly escaped.)
References
| URL | Tags | ||
|---|---|---|---|
| security-advisories@github.com | https://github.com/viewvc/viewvc/issues/311 | Issue Tracking, Third Party Advisory | |
| security-advisories@github.com | https://github.com/viewvc/viewvc/releases/tag/1.1.29 | Patch, Third Party Advisory | |
| security-advisories@github.com | https://github.com/viewvc/viewvc/releases/tag/1.2.2 | Patch, Third Party Advisory | |
| security-advisories@github.com | https://github.com/viewvc/viewvc/security/advisories/GHSA-j4mx-f97j-gc5g | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/viewvc/viewvc/issues/311 | Issue Tracking, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/viewvc/viewvc/releases/tag/1.1.29 | Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/viewvc/viewvc/releases/tag/1.2.2 | Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/viewvc/viewvc/security/advisories/GHSA-j4mx-f97j-gc5g | Third Party Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:viewvc:viewvc:*:*:*:*:*:*:*:*",
"matchCriteriaId": "EB51E00C-7F8B-426A-80EF-C57BDE6DE88F",
"versionEndExcluding": "1.1.29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:viewvc:viewvc:*:*:*:*:*:*:*:*",
"matchCriteriaId": "227BB175-E196-488C-9E25-3F39111283E9",
"versionEndExcluding": "1.2.2",
"versionStartIncluding": "1.2.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "ViewVC, a browser interface for CVS and Subversion version control repositories, as a cross-site scripting vulnerability that affects versions prior to 1.2.2 and 1.1.29. The impact of this vulnerability is mitigated by the need for an attacker to have commit privileges to a Subversion repository exposed by an otherwise trusted ViewVC instance. The attack vector involves files with unsafe names (names that, when embedded into an HTML stream, would cause the browser to run unwanted code), which themselves can be challenging to create. Users should update to at least version 1.2.2 (if they are using a 1.2.x version of ViewVC) or 1.1.29 (if they are using a 1.1.x version).\n\nViewVC 1.0.x is no longer supported, so users of that release lineage should implement a workaround. Users can edit their ViewVC EZT view templates to manually HTML-escape changed paths during rendering. Locate in your template set\u0027s `revision.ezt` file references to those changed paths, and wrap them with `[format \"html\"]` and `[end]`. For most users, that means that references to `[changes.path]` will become `[format \"html\"][changes.path][end]`. (This workaround should be reverted after upgrading to a patched version of ViewVC, else changed path names will be doubly escaped.)"
},
{
"lang": "es",
"value": "ViewVC, una interfaz de navegador para repositorios de control de versiones de CVS y Subversion, es una vulnerabilidad de cross-site scripting que afecta a versiones anteriores a 1.2.2 y 1.1.29. El impacto de esta vulnerabilidad se ve mitigado por la necesidad de que un atacante tenga privilegios de confirmaci\u00f3n en un repositorio de Subversion expuesto por una instancia de ViewVC que, de otro modo, ser\u00eda de confianza. El vector de ataque implica archivos con nombres no seguros (nombres que, al incrustarse en una secuencia HTML, har\u00edan que el navegador ejecutara c\u00f3digo no deseado), que pueden ser dif\u00edciles de crear. Los usuarios deben actualizar al menos a la versi\u00f3n 1.2.2 (si est\u00e1n usando una versi\u00f3n 1.2.x de ViewVC) o 1.1.29 (si est\u00e1n usando una versi\u00f3n 1.1.x). ViewVC 1.0.x ya no es compatible, por lo que los usuarios de esa l\u00ednea de versiones deben implementar un workaround. Los usuarios pueden editar sus plantillas de vista EZT de ViewVC para escapar manualmente mediante HTML las rutas modificadas durante la representaci\u00f3n. Localice en el archivo `revision.ezt` de su conjunto de plantillas las referencias a esas rutas modificadas y enci\u00e9rrelas con `[format \"html\"]` y `[end]`. Para la mayor\u00eda de los usuarios, eso significa que las referencias a `[changes.path]` se convertir\u00e1n en `[format \"html\"][changes.path][end]`. (Este workaround se debe revertir despu\u00e9s de actualizar a una versi\u00f3n parcheada de ViewVC, de lo contrario, los nombres de las rutas modificadas se escapar\u00e1n dos veces)."
}
],
"id": "CVE-2023-22456",
"lastModified": "2024-11-21T07:44:50.567",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2023-01-03T19:15:10.483",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Issue Tracking",
"Third Party Advisory"
],
"url": "https://github.com/viewvc/viewvc/issues/311"
},
{
"source": "security-advisories@github.com",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/viewvc/viewvc/releases/tag/1.1.29"
},
{
"source": "security-advisories@github.com",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/viewvc/viewvc/releases/tag/1.2.2"
},
{
"source": "security-advisories@github.com",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/viewvc/viewvc/security/advisories/GHSA-j4mx-f97j-gc5g"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Third Party Advisory"
],
"url": "https://github.com/viewvc/viewvc/issues/311"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/viewvc/viewvc/releases/tag/1.1.29"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/viewvc/viewvc/releases/tag/1.2.2"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/viewvc/viewvc/security/advisories/GHSA-j4mx-f97j-gc5g"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "security-advisories@github.com",
"type": "Primary"
}
]
}
FKIE_CVE-2020-5283
Vulnerability from fkie_nvd - Published: 2020-04-03 00:15 - Updated: 2024-11-21 05:33
Severity ?
3.1 (Low) - CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:N
3.5 (Low) - CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:N
3.5 (Low) - CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:N
Summary
ViewVC before versions 1.1.28 and 1.2.1 has a XSS vulnerability in CVS show_subdir_lastmod support. The impact of this vulnerability is mitigated by the need for an attacker to have commit privileges to a CVS repository exposed by an otherwise trusted ViewVC instance that also has the `show_subdir_lastmod` feature enabled. The attack vector involves files with unsafe names (names that, when embedded into an HTML stream, would cause the browser to run unwanted code), which themselves can be challenging to create. This vulnerability is patched in versions 1.2.1 and 1.1.28.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:viewvc:viewvc:*:*:*:*:*:*:*:*",
"matchCriteriaId": "317FCBFB-4761-4735-8367-4AE5D03AB998",
"versionEndExcluding": "1.1.28",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:viewvc:viewvc:*:*:*:*:*:*:*:*",
"matchCriteriaId": "0C4C4AE3-6765-4AD4-991F-EF3F0B3EF39E",
"versionEndExcluding": "1.2.1",
"versionStartIncluding": "1.2.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "ViewVC before versions 1.1.28 and 1.2.1 has a XSS vulnerability in CVS show_subdir_lastmod support. The impact of this vulnerability is mitigated by the need for an attacker to have commit privileges to a CVS repository exposed by an otherwise trusted ViewVC instance that also has the `show_subdir_lastmod` feature enabled. The attack vector involves files with unsafe names (names that, when embedded into an HTML stream, would cause the browser to run unwanted code), which themselves can be challenging to create. This vulnerability is patched in versions 1.2.1 and 1.1.28."
},
{
"lang": "es",
"value": "ViewVC versiones anteriores a 1.1.28 y 1.2.1, presenta una vulnerabilidad de tipo XSS en el soporte show_subdir_lastmod de CVS. El impacto de esta vulnerabilidad est\u00e1 mitigado mediante la necesidad de que un atacante tenga privilegios de commit en un repositorio CVS expuesto por una instancia de ViewVC confiable que tambi\u00e9n tenga la funcionalidad \"show_subdir_lastmod\" habilitada. El vector de ataque involucra archivos con nombres no seguros (nombres que, cuando se insertan en una secuencia de datos HTML, causar\u00edan que el navegador ejecute un c\u00f3digo no deseado), que pueden ser en si mismos dif\u00edciles de crear. Esta vulnerabilidad est\u00e1 parcheada en las versiones 1.2.1 y 1.1.28."
}
],
"id": "CVE-2020-5283",
"lastModified": "2024-11-21T05:33:49.887",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "LOW",
"cvssData": {
"accessComplexity": "HIGH",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 2.1,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:H/Au:S/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 3.9,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.1,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 0.5,
"impactScore": 2.5,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.5,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 0.9,
"impactScore": 2.5,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-04-03T00:15:11.943",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/viewvc/viewvc/commit/ad0f966e9a997b17d853a6972ea283d4dcd70fa8"
},
{
"source": "security-advisories@github.com",
"tags": [
"Exploit",
"Issue Tracking",
"Third Party Advisory"
],
"url": "https://github.com/viewvc/viewvc/issues/211"
},
{
"source": "security-advisories@github.com",
"tags": [
"Mitigation",
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/viewvc/viewvc/security/advisories/GHSA-xpxf-fvqv-7mfg"
},
{
"source": "security-advisories@github.com",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2Q2STF2MKT24HXZ3YZIU7CN6F6QM67I5/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/viewvc/viewvc/commit/ad0f966e9a997b17d853a6972ea283d4dcd70fa8"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Issue Tracking",
"Third Party Advisory"
],
"url": "https://github.com/viewvc/viewvc/issues/211"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mitigation",
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/viewvc/viewvc/security/advisories/GHSA-xpxf-fvqv-7mfg"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2Q2STF2MKT24HXZ3YZIU7CN6F6QM67I5/"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-80"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2007-5743
Vulnerability from fkie_nvd - Published: 2019-11-07 22:15 - Updated: 2024-11-21 00:38
Severity ?
Summary
viewvc 1.0.3 allows improper access control to files in a repository when using the "forbidden" configuration option.
References
| URL | Tags | ||
|---|---|---|---|
| cve@mitre.org | https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=416696 | Exploit, Issue Tracking, Third Party Advisory | |
| cve@mitre.org | https://security-tracker.debian.org/tracker/CVE-2007-5743 | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=416696 | Exploit, Issue Tracking, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://security-tracker.debian.org/tracker/CVE-2007-5743 | Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| viewvc | viewvc | 1.0.3 | |
| debian | debian_linux | 8.0 | |
| debian | debian_linux | 9.0 | |
| debian | debian_linux | 10.0 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:viewvc:viewvc:1.0.3:*:*:*:*:*:*:*",
"matchCriteriaId": "1B6F2BC5-D099-427C-9513-75551ABF1997",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*",
"matchCriteriaId": "C11E6FB0-C8C0-4527-9AA0-CB9B316F8F43",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*",
"matchCriteriaId": "DEECE5FC-CACF-4496-A3E7-164736409252",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*",
"matchCriteriaId": "07B237A9-69A3-4A9C-9DA0-4E06BD37AE73",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "viewvc 1.0.3 allows improper access control to files in a repository when using the \"forbidden\" configuration option."
},
{
"lang": "es",
"value": "viewvc versi\u00f3n 1.0.3, permite un control de acceso inapropiado a los archivos en un repositorio cuando es usada la opci\u00f3n de configuraci\u00f3n \"forbidden\"."
}
],
"id": "CVE-2007-5743",
"lastModified": "2024-11-21T00:38:36.020",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2019-11-07T22:15:10.257",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Issue Tracking",
"Third Party Advisory"
],
"url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=416696"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
],
"url": "https://security-tracker.debian.org/tracker/CVE-2007-5743"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Issue Tracking",
"Third Party Advisory"
],
"url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=416696"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://security-tracker.debian.org/tracker/CVE-2007-5743"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-732"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2017-5938
Vulnerability from fkie_nvd - Published: 2017-03-15 14:59 - Updated: 2025-04-20 01:37
Severity ?
Summary
Cross-site scripting (XSS) vulnerability in the nav_path function in lib/viewvc.py in ViewVC before 1.0.14 and 1.1.x before 1.1.26 allows remote attackers to inject arbitrary web script or HTML via the nav_data name.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| debian | debian_linux | 8.0 | |
| opensuse | leap | 42.2 | |
| opensuse_project | leap | 42.1 | |
| viewvc | viewvc | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*",
"matchCriteriaId": "C11E6FB0-C8C0-4527-9AA0-CB9B316F8F43",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:opensuse:leap:42.2:*:*:*:*:*:*:*",
"matchCriteriaId": "1EA337A3-B9A3-4962-B8BD-8E0C7C5B28EB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:opensuse_project:leap:42.1:*:*:*:*:*:*:*",
"matchCriteriaId": "CF605E46-ADCE-45B3-BBBA-E593D3CEE2A6",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:viewvc:viewvc:*:*:*:*:*:*:*:*",
"matchCriteriaId": "48F736A6-92CB-475A-9BCB-1FD1A1066E7F",
"versionEndIncluding": "1.1.25",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting (XSS) vulnerability in the nav_path function in lib/viewvc.py in ViewVC before 1.0.14 and 1.1.x before 1.1.26 allows remote attackers to inject arbitrary web script or HTML via the nav_data name."
},
{
"lang": "es",
"value": "La vulnerabilidad tipo cross-site-scripting (XSS) en la funci\u00f3n nav_path en el archivo lib/viewvc.py en ViewVC anterior a versi\u00f3n 1.0.14 y 1.1.x anterior a versi\u00f3n 1.1.26, permite a los atacantes remotos inyectar scripts web o HTML arbitrarios por medio del nombre nav_data."
}
],
"id": "CVE-2017-5938",
"lastModified": "2025-04-20T01:37:25.860",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.0"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2017-03-15T14:59:00.557",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
],
"url": "http://lists.opensuse.org/opensuse-updates/2017-02/msg00082.html"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
],
"url": "http://www.debian.org/security/2017/dsa-3784"
},
{
"source": "cve@mitre.org",
"tags": [
"Mailing List",
"Patch",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2017/02/09/6"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/96185"
},
{
"source": "cve@mitre.org",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/viewvc/viewvc/commit/9dcfc7daa4c940992920d3b2fbd317da20e44aad"
},
{
"source": "cve@mitre.org",
"url": "https://github.com/viewvc/viewvc/issues/137"
},
{
"source": "cve@mitre.org",
"url": "https://github.com/viewvc/viewvc/releases/tag/1.0.14"
},
{
"source": "cve@mitre.org",
"tags": [
"Release Notes",
"Third Party Advisory"
],
"url": "https://github.com/viewvc/viewvc/releases/tag/1.1.26"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "http://lists.opensuse.org/opensuse-updates/2017-02/msg00082.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "http://www.debian.org/security/2017/dsa-3784"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Patch",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2017/02/09/6"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/96185"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/viewvc/viewvc/commit/9dcfc7daa4c940992920d3b2fbd317da20e44aad"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://github.com/viewvc/viewvc/issues/137"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://github.com/viewvc/viewvc/releases/tag/1.0.14"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes",
"Third Party Advisory"
],
"url": "https://github.com/viewvc/viewvc/releases/tag/1.1.26"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2012-4533
Vulnerability from fkie_nvd - Published: 2012-11-19 00:55 - Updated: 2025-04-11 00:51
Severity ?
Summary
Cross-site scripting (XSS) vulnerability in the "extra" details in the DiffSource._get_row function in lib/viewvc.py in ViewVC 1.0.x before 1.0.13 and 1.1.x before 1.1.16 allows remote authenticated users with repository commit access to inject arbitrary web script or HTML via the "function name" line.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| viewvc | viewvc | * | |
| viewvc | viewvc | * | |
| debian | debian_linux | 6.0 | |
| debian | debian_linux | 7.0 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:viewvc:viewvc:*:*:*:*:*:*:*:*",
"matchCriteriaId": "37BA9607-E687-4720-A24E-7AD9F6C6ABEE",
"versionEndExcluding": "1.0.13",
"versionStartIncluding": "1.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:viewvc:viewvc:*:*:*:*:*:*:*:*",
"matchCriteriaId": "6D1981E5-8550-4B67-8FA2-F98373B03AA0",
"versionEndExcluding": "1.1.16",
"versionStartIncluding": "1.1.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:debian:debian_linux:6.0:*:*:*:*:*:*:*",
"matchCriteriaId": "036E8A89-7A16-411F-9D31-676313BB7244",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:debian:debian_linux:7.0:*:*:*:*:*:*:*",
"matchCriteriaId": "16F59A04-14CF-49E2-9973-645477EA09DA",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting (XSS) vulnerability in the \"extra\" details in the DiffSource._get_row function in lib/viewvc.py in ViewVC 1.0.x before 1.0.13 and 1.1.x before 1.1.16 allows remote authenticated users with repository commit access to inject arbitrary web script or HTML via the \"function name\" line."
},
{
"lang": "es",
"value": "Una vulnerabilidad de ejecuci\u00f3n de comandos en sitios cruzados (XSS) en los detalles \"extra\" en la funci\u00f3n DiffSource._get_row en lib/viewvc.py en ViewVC v1.0.x antes de v1.0.13 y v1.1.x antes de v1.1.16 permite inyectar secuencias de comandos web o HTML a usuarios remotos autenticados con acceso al repositorio de versiones a trav\u00e9s de la l\u00ednea nombre de funci\u00f3n (function name\").\r\n"
}
],
"id": "CVE-2012-4533",
"lastModified": "2025-04-11T00:51:21.963",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
]
},
"published": "2012-11-19T00:55:00.900",
"references": [
{
"source": "secalert@redhat.com",
"tags": [
"Issue Tracking",
"Mailing List",
"Third Party Advisory"
],
"url": "http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=691062"
},
{
"source": "secalert@redhat.com",
"tags": [
"Broken Link"
],
"url": "http://osvdb.org/86566"
},
{
"source": "secalert@redhat.com",
"tags": [
"Third Party Advisory"
],
"url": "http://secunia.com/advisories/51041"
},
{
"source": "secalert@redhat.com",
"tags": [
"Third Party Advisory"
],
"url": "http://secunia.com/advisories/51072"
},
{
"source": "secalert@redhat.com",
"tags": [
"Third Party Advisory"
],
"url": "http://viewvc.tigris.org/issues/show_bug.cgi?id=515"
},
{
"source": "secalert@redhat.com",
"url": "http://viewvc.tigris.org/source/browse/%2Acheckout%2A/viewvc/tags/1.0.13/CHANGES"
},
{
"source": "secalert@redhat.com",
"url": "http://viewvc.tigris.org/source/browse/%2Acheckout%2A/viewvc/tags/1.1.16/CHANGES"
},
{
"source": "secalert@redhat.com",
"tags": [
"Third Party Advisory"
],
"url": "http://viewvc.tigris.org/source/browse/viewvc?view=rev\u0026revision=2792"
},
{
"source": "secalert@redhat.com",
"tags": [
"Third Party Advisory"
],
"url": "http://viewvc.tigris.org/source/browse/viewvc?view=rev\u0026revision=2794"
},
{
"source": "secalert@redhat.com",
"tags": [
"Third Party Advisory"
],
"url": "http://www.debian.org/security/2012/dsa-2563"
},
{
"source": "secalert@redhat.com",
"tags": [
"Third Party Advisory"
],
"url": "http://www.mandriva.com/security/advisories?name=MDVSA-2013:134"
},
{
"source": "secalert@redhat.com",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2012/10/21/2"
},
{
"source": "secalert@redhat.com",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2012/10/21/3"
},
{
"source": "secalert@redhat.com",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/56161"
},
{
"source": "secalert@redhat.com",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/79561"
},
{
"source": "secalert@redhat.com",
"tags": [
"Third Party Advisory"
],
"url": "https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-0313"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Mailing List",
"Third Party Advisory"
],
"url": "http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=691062"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Broken Link"
],
"url": "http://osvdb.org/86566"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "http://secunia.com/advisories/51041"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "http://secunia.com/advisories/51072"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "http://viewvc.tigris.org/issues/show_bug.cgi?id=515"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://viewvc.tigris.org/source/browse/%2Acheckout%2A/viewvc/tags/1.0.13/CHANGES"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://viewvc.tigris.org/source/browse/%2Acheckout%2A/viewvc/tags/1.1.16/CHANGES"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "http://viewvc.tigris.org/source/browse/viewvc?view=rev\u0026revision=2792"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "http://viewvc.tigris.org/source/browse/viewvc?view=rev\u0026revision=2794"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "http://www.debian.org/security/2012/dsa-2563"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "http://www.mandriva.com/security/advisories?name=MDVSA-2013:134"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2012/10/21/2"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2012/10/21/3"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/56161"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/79561"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-0313"
}
],
"sourceIdentifier": "secalert@redhat.com",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2012-3356
Vulnerability from fkie_nvd - Published: 2012-07-22 16:55 - Updated: 2025-04-11 00:51
Severity ?
Summary
The remote SVN views functionality (lib/vclib/svn/svn_ra.py) in ViewVC before 1.1.15 does not properly perform authorization, which allows remote attackers to bypass intended access restrictions via unspecified vectors.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| viewvc | viewvc | * | |
| viewvc | viewvc | 0.8 | |
| viewvc | viewvc | 0.9 | |
| viewvc | viewvc | 0.9.1 | |
| viewvc | viewvc | 0.9.2 | |
| viewvc | viewvc | 0.9.3 | |
| viewvc | viewvc | 0.9.4 | |
| viewvc | viewvc | 1.0.0 | |
| viewvc | viewvc | 1.0.1 | |
| viewvc | viewvc | 1.0.2 | |
| viewvc | viewvc | 1.0.3 | |
| viewvc | viewvc | 1.0.4 | |
| viewvc | viewvc | 1.0.5 | |
| viewvc | viewvc | 1.0.6 | |
| viewvc | viewvc | 1.0.7 | |
| viewvc | viewvc | 1.0.8 | |
| viewvc | viewvc | 1.0.9 | |
| viewvc | viewvc | 1.0.10 | |
| viewvc | viewvc | 1.0.11 | |
| viewvc | viewvc | 1.1.0 | |
| viewvc | viewvc | 1.1.1 | |
| viewvc | viewvc | 1.1.2 | |
| viewvc | viewvc | 1.1.3 | |
| viewvc | viewvc | 1.1.4 | |
| viewvc | viewvc | 1.1.5 | |
| viewvc | viewvc | 1.1.6 | |
| viewvc | viewvc | 1.1.7 | |
| viewvc | viewvc | 1.1.8 | |
| viewvc | viewvc | 1.1.9 | |
| viewvc | viewvc | 1.1.10 | |
| viewvc | viewvc | 1.1.11 | |
| viewvc | viewvc | 1.1.12 | |
| viewvc | viewvc | 1.1.13 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:viewvc:viewvc:*:*:*:*:*:*:*:*",
"matchCriteriaId": "E32A343E-869D-4BEB-AB65-094C1E548812",
"versionEndIncluding": "1.1.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:viewvc:viewvc:0.8:*:*:*:*:*:*:*",
"matchCriteriaId": "3DB85009-6655-4288-B06B-18074F69EF67",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:viewvc:viewvc:0.9:*:*:*:*:*:*:*",
"matchCriteriaId": "8344FE80-0BEF-4FE4-A87C-8A03CF83406B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:viewvc:viewvc:0.9.1:*:*:*:*:*:*:*",
"matchCriteriaId": "2C1671BC-6DF0-4FD3-991B-B342E1DA1EB7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:viewvc:viewvc:0.9.2:*:*:*:*:*:*:*",
"matchCriteriaId": "7D01FEFC-DE9B-4CBD-9F3E-C5F37A7FA70C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:viewvc:viewvc:0.9.3:*:*:*:*:*:*:*",
"matchCriteriaId": "67365FF3-29FE-40BD-8986-467AFCDD2210",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:viewvc:viewvc:0.9.4:*:*:*:*:*:*:*",
"matchCriteriaId": "90060F09-83C0-480F-AAF6-5006CD439E7B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:viewvc:viewvc:1.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "59DBEDF6-248F-4850-B50C-61835DB89374",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:viewvc:viewvc:1.0.1:*:*:*:*:*:*:*",
"matchCriteriaId": "007977CF-1BF9-4713-AFDF-50DEE2530AD5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:viewvc:viewvc:1.0.2:*:*:*:*:*:*:*",
"matchCriteriaId": "793F6DB3-A6C2-4813-BD2D-AF34D85F6CCA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:viewvc:viewvc:1.0.3:*:*:*:*:*:*:*",
"matchCriteriaId": "1B6F2BC5-D099-427C-9513-75551ABF1997",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:viewvc:viewvc:1.0.4:*:*:*:*:*:*:*",
"matchCriteriaId": "4748AA05-D2ED-4365-83AE-74CD33592B5D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:viewvc:viewvc:1.0.5:*:*:*:*:*:*:*",
"matchCriteriaId": "91ADB624-1826-405C-BB1E-3D286ED03D5A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:viewvc:viewvc:1.0.6:*:*:*:*:*:*:*",
"matchCriteriaId": "A4AE31C7-1929-48A4-8A3A-860A110E4820",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:viewvc:viewvc:1.0.7:*:*:*:*:*:*:*",
"matchCriteriaId": "F71721BF-9010-4595-96F8-CF499B0FFE6D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:viewvc:viewvc:1.0.8:*:*:*:*:*:*:*",
"matchCriteriaId": "96AD0DD2-206B-4231-B09E-9B83F6E0239E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:viewvc:viewvc:1.0.9:*:*:*:*:*:*:*",
"matchCriteriaId": "2A7F4AAD-EB09-47F1-A7B7-5436E766A0C6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:viewvc:viewvc:1.0.10:*:*:*:*:*:*:*",
"matchCriteriaId": "E0D457A6-C530-42AC-9BCF-640A89D9BF5C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:viewvc:viewvc:1.0.11:*:*:*:*:*:*:*",
"matchCriteriaId": "6AD3EFA7-5B31-453C-8319-8A943C149731",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:viewvc:viewvc:1.1.0:*:*:*:*:*:*:*",
"matchCriteriaId": "8ECD4F7E-011C-4E92-9D8E-AC378B204C05",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:viewvc:viewvc:1.1.1:*:*:*:*:*:*:*",
"matchCriteriaId": "4FE78493-E4EB-4555-BA56-A29AFE680B56",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:viewvc:viewvc:1.1.2:*:*:*:*:*:*:*",
"matchCriteriaId": "C076220E-CFB1-44B0-9884-840F4C5B4F9A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:viewvc:viewvc:1.1.3:*:*:*:*:*:*:*",
"matchCriteriaId": "77350E39-A3A7-463E-BF70-D1BD99F7C23E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:viewvc:viewvc:1.1.4:*:*:*:*:*:*:*",
"matchCriteriaId": "AB57E24E-00A7-4099-8135-64B0E165FEBF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:viewvc:viewvc:1.1.5:*:*:*:*:*:*:*",
"matchCriteriaId": "46A3CC38-5905-40B1-BD8B-EA378D8F5106",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:viewvc:viewvc:1.1.6:*:*:*:*:*:*:*",
"matchCriteriaId": "402EB3C0-3B69-4EF5-8342-1BCC411E8788",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:viewvc:viewvc:1.1.7:*:*:*:*:*:*:*",
"matchCriteriaId": "276B3475-7B55-48CC-8F34-0439AE5B8291",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:viewvc:viewvc:1.1.8:*:*:*:*:*:*:*",
"matchCriteriaId": "14320E94-C5AA-4E5B-8005-C38BD4F9989F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:viewvc:viewvc:1.1.9:*:*:*:*:*:*:*",
"matchCriteriaId": "110D1159-D604-443F-85F8-670570FF7679",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:viewvc:viewvc:1.1.10:*:*:*:*:*:*:*",
"matchCriteriaId": "7419BB99-B279-44B7-A41F-765805695DF7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:viewvc:viewvc:1.1.11:*:*:*:*:*:*:*",
"matchCriteriaId": "D5D05FE1-6EA9-4C71-8F4E-8507C5F87952",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:viewvc:viewvc:1.1.12:*:*:*:*:*:*:*",
"matchCriteriaId": "38AA489B-4287-48D9-B771-C066E41A7B52",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:viewvc:viewvc:1.1.13:*:*:*:*:*:*:*",
"matchCriteriaId": "B8E798B8-B3E0-4359-BEFE-777F71AB4ECB",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The remote SVN views functionality (lib/vclib/svn/svn_ra.py) in ViewVC before 1.1.15 does not properly perform authorization, which allows remote attackers to bypass intended access restrictions via unspecified vectors."
},
{
"lang": "es",
"value": "La vista SVN de funcionalidad remota (lib/vclib/svn/svn_ra.py) en ViewVC anterior a v1.1.15 no realiza correctamente la autorizaci\u00f3n, permite a atacantes remotos eludir restricciones de acceso a trav\u00e9s destinados vectores no especificados."
}
],
"id": "CVE-2012-3356",
"lastModified": "2025-04-11T00:51:21.963",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2012-07-22T16:55:39.523",
"references": [
{
"source": "secalert@redhat.com",
"url": "http://osvdb.org/83225"
},
{
"source": "secalert@redhat.com",
"url": "http://viewvc.tigris.org/issues/show_bug.cgi?id=353"
},
{
"source": "secalert@redhat.com",
"url": "http://viewvc.tigris.org/source/browse/%2Acheckout%2A/viewvc/tags/1.1.15/CHANGES"
},
{
"source": "secalert@redhat.com",
"url": "http://viewvc.tigris.org/source/browse/viewvc?view=rev\u0026revision=2755"
},
{
"source": "secalert@redhat.com",
"url": "http://viewvc.tigris.org/source/browse/viewvc?view=rev\u0026revision=2756"
},
{
"source": "secalert@redhat.com",
"url": "http://viewvc.tigris.org/source/browse/viewvc?view=rev\u0026revision=2757"
},
{
"source": "secalert@redhat.com",
"url": "http://viewvc.tigris.org/source/browse/viewvc?view=rev\u0026revision=2759"
},
{
"source": "secalert@redhat.com",
"url": "http://viewvc.tigris.org/source/browse/viewvc?view=rev\u0026revision=2760"
},
{
"source": "secalert@redhat.com",
"url": "http://www.debian.org/security/2012/dsa-2563"
},
{
"source": "secalert@redhat.com",
"url": "http://www.mandriva.com/security/advisories?name=MDVSA-2013:134"
},
{
"source": "secalert@redhat.com",
"url": "http://www.openwall.com/lists/oss-security/2012/06/25/8"
},
{
"source": "secalert@redhat.com",
"url": "http://www.securityfocus.com/bid/54197"
},
{
"source": "secalert@redhat.com",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/76614"
},
{
"source": "secalert@redhat.com",
"url": "https://lwn.net/Articles/505096/"
},
{
"source": "secalert@redhat.com",
"url": "https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-0175"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://osvdb.org/83225"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://viewvc.tigris.org/issues/show_bug.cgi?id=353"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://viewvc.tigris.org/source/browse/%2Acheckout%2A/viewvc/tags/1.1.15/CHANGES"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://viewvc.tigris.org/source/browse/viewvc?view=rev\u0026revision=2755"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://viewvc.tigris.org/source/browse/viewvc?view=rev\u0026revision=2756"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://viewvc.tigris.org/source/browse/viewvc?view=rev\u0026revision=2757"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://viewvc.tigris.org/source/browse/viewvc?view=rev\u0026revision=2759"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://viewvc.tigris.org/source/browse/viewvc?view=rev\u0026revision=2760"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.debian.org/security/2012/dsa-2563"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.mandriva.com/security/advisories?name=MDVSA-2013:134"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.openwall.com/lists/oss-security/2012/06/25/8"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securityfocus.com/bid/54197"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/76614"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lwn.net/Articles/505096/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-0175"
}
],
"sourceIdentifier": "secalert@redhat.com",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-287"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2012-3357
Vulnerability from fkie_nvd - Published: 2012-07-22 16:55 - Updated: 2025-04-11 00:51
Severity ?
Summary
The SVN revision view (lib/vclib/svn/svn_repos.py) in ViewVC before 1.1.15 does not properly handle log messages when a readable path is copied from an unreadable path, which allows remote attackers to obtain sensitive information, related to a "log msg leak."
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| viewvc | viewvc | * | |
| viewvc | viewvc | 0.8 | |
| viewvc | viewvc | 0.9 | |
| viewvc | viewvc | 0.9.1 | |
| viewvc | viewvc | 0.9.2 | |
| viewvc | viewvc | 0.9.3 | |
| viewvc | viewvc | 0.9.4 | |
| viewvc | viewvc | 1.0.0 | |
| viewvc | viewvc | 1.0.1 | |
| viewvc | viewvc | 1.0.2 | |
| viewvc | viewvc | 1.0.3 | |
| viewvc | viewvc | 1.0.4 | |
| viewvc | viewvc | 1.0.5 | |
| viewvc | viewvc | 1.0.6 | |
| viewvc | viewvc | 1.0.7 | |
| viewvc | viewvc | 1.0.8 | |
| viewvc | viewvc | 1.0.9 | |
| viewvc | viewvc | 1.0.10 | |
| viewvc | viewvc | 1.0.11 | |
| viewvc | viewvc | 1.1.0 | |
| viewvc | viewvc | 1.1.1 | |
| viewvc | viewvc | 1.1.2 | |
| viewvc | viewvc | 1.1.3 | |
| viewvc | viewvc | 1.1.4 | |
| viewvc | viewvc | 1.1.5 | |
| viewvc | viewvc | 1.1.6 | |
| viewvc | viewvc | 1.1.7 | |
| viewvc | viewvc | 1.1.8 | |
| viewvc | viewvc | 1.1.9 | |
| viewvc | viewvc | 1.1.10 | |
| viewvc | viewvc | 1.1.11 | |
| viewvc | viewvc | 1.1.12 | |
| viewvc | viewvc | 1.1.13 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:viewvc:viewvc:*:*:*:*:*:*:*:*",
"matchCriteriaId": "E32A343E-869D-4BEB-AB65-094C1E548812",
"versionEndIncluding": "1.1.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:viewvc:viewvc:0.8:*:*:*:*:*:*:*",
"matchCriteriaId": "3DB85009-6655-4288-B06B-18074F69EF67",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:viewvc:viewvc:0.9:*:*:*:*:*:*:*",
"matchCriteriaId": "8344FE80-0BEF-4FE4-A87C-8A03CF83406B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:viewvc:viewvc:0.9.1:*:*:*:*:*:*:*",
"matchCriteriaId": "2C1671BC-6DF0-4FD3-991B-B342E1DA1EB7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:viewvc:viewvc:0.9.2:*:*:*:*:*:*:*",
"matchCriteriaId": "7D01FEFC-DE9B-4CBD-9F3E-C5F37A7FA70C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:viewvc:viewvc:0.9.3:*:*:*:*:*:*:*",
"matchCriteriaId": "67365FF3-29FE-40BD-8986-467AFCDD2210",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:viewvc:viewvc:0.9.4:*:*:*:*:*:*:*",
"matchCriteriaId": "90060F09-83C0-480F-AAF6-5006CD439E7B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:viewvc:viewvc:1.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "59DBEDF6-248F-4850-B50C-61835DB89374",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:viewvc:viewvc:1.0.1:*:*:*:*:*:*:*",
"matchCriteriaId": "007977CF-1BF9-4713-AFDF-50DEE2530AD5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:viewvc:viewvc:1.0.2:*:*:*:*:*:*:*",
"matchCriteriaId": "793F6DB3-A6C2-4813-BD2D-AF34D85F6CCA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:viewvc:viewvc:1.0.3:*:*:*:*:*:*:*",
"matchCriteriaId": "1B6F2BC5-D099-427C-9513-75551ABF1997",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:viewvc:viewvc:1.0.4:*:*:*:*:*:*:*",
"matchCriteriaId": "4748AA05-D2ED-4365-83AE-74CD33592B5D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:viewvc:viewvc:1.0.5:*:*:*:*:*:*:*",
"matchCriteriaId": "91ADB624-1826-405C-BB1E-3D286ED03D5A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:viewvc:viewvc:1.0.6:*:*:*:*:*:*:*",
"matchCriteriaId": "A4AE31C7-1929-48A4-8A3A-860A110E4820",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:viewvc:viewvc:1.0.7:*:*:*:*:*:*:*",
"matchCriteriaId": "F71721BF-9010-4595-96F8-CF499B0FFE6D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:viewvc:viewvc:1.0.8:*:*:*:*:*:*:*",
"matchCriteriaId": "96AD0DD2-206B-4231-B09E-9B83F6E0239E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:viewvc:viewvc:1.0.9:*:*:*:*:*:*:*",
"matchCriteriaId": "2A7F4AAD-EB09-47F1-A7B7-5436E766A0C6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:viewvc:viewvc:1.0.10:*:*:*:*:*:*:*",
"matchCriteriaId": "E0D457A6-C530-42AC-9BCF-640A89D9BF5C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:viewvc:viewvc:1.0.11:*:*:*:*:*:*:*",
"matchCriteriaId": "6AD3EFA7-5B31-453C-8319-8A943C149731",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:viewvc:viewvc:1.1.0:*:*:*:*:*:*:*",
"matchCriteriaId": "8ECD4F7E-011C-4E92-9D8E-AC378B204C05",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:viewvc:viewvc:1.1.1:*:*:*:*:*:*:*",
"matchCriteriaId": "4FE78493-E4EB-4555-BA56-A29AFE680B56",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:viewvc:viewvc:1.1.2:*:*:*:*:*:*:*",
"matchCriteriaId": "C076220E-CFB1-44B0-9884-840F4C5B4F9A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:viewvc:viewvc:1.1.3:*:*:*:*:*:*:*",
"matchCriteriaId": "77350E39-A3A7-463E-BF70-D1BD99F7C23E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:viewvc:viewvc:1.1.4:*:*:*:*:*:*:*",
"matchCriteriaId": "AB57E24E-00A7-4099-8135-64B0E165FEBF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:viewvc:viewvc:1.1.5:*:*:*:*:*:*:*",
"matchCriteriaId": "46A3CC38-5905-40B1-BD8B-EA378D8F5106",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:viewvc:viewvc:1.1.6:*:*:*:*:*:*:*",
"matchCriteriaId": "402EB3C0-3B69-4EF5-8342-1BCC411E8788",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:viewvc:viewvc:1.1.7:*:*:*:*:*:*:*",
"matchCriteriaId": "276B3475-7B55-48CC-8F34-0439AE5B8291",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:viewvc:viewvc:1.1.8:*:*:*:*:*:*:*",
"matchCriteriaId": "14320E94-C5AA-4E5B-8005-C38BD4F9989F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:viewvc:viewvc:1.1.9:*:*:*:*:*:*:*",
"matchCriteriaId": "110D1159-D604-443F-85F8-670570FF7679",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:viewvc:viewvc:1.1.10:*:*:*:*:*:*:*",
"matchCriteriaId": "7419BB99-B279-44B7-A41F-765805695DF7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:viewvc:viewvc:1.1.11:*:*:*:*:*:*:*",
"matchCriteriaId": "D5D05FE1-6EA9-4C71-8F4E-8507C5F87952",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:viewvc:viewvc:1.1.12:*:*:*:*:*:*:*",
"matchCriteriaId": "38AA489B-4287-48D9-B771-C066E41A7B52",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:viewvc:viewvc:1.1.13:*:*:*:*:*:*:*",
"matchCriteriaId": "B8E798B8-B3E0-4359-BEFE-777F71AB4ECB",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The SVN revision view (lib/vclib/svn/svn_repos.py) in ViewVC before 1.1.15 does not properly handle log messages when a readable path is copied from an unreadable path, which allows remote attackers to obtain sensitive information, related to a \"log msg leak.\""
},
{
"lang": "es",
"value": "La revisi\u00f3n de la vista SVN (lib/vclib/svn/svn_repos.py) en ViewVC anterior a 1.1.15 no controla correctamente los mensajes de registro cuando se copia un camino legible de una ruta ilegible, lo que permite a atacantes remotos obtener informaci\u00f3n sensible, relacionada con un \"log msg leak\"."
}
],
"id": "CVE-2012-3357",
"lastModified": "2025-04-11T00:51:21.963",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2012-07-22T16:55:39.603",
"references": [
{
"source": "secalert@redhat.com",
"url": "http://osvdb.org/83227"
},
{
"source": "secalert@redhat.com",
"url": "http://viewvc.tigris.org/source/browse/viewvc?view=rev\u0026revision=2758"
},
{
"source": "secalert@redhat.com",
"url": "http://www.debian.org/security/2012/dsa-2563"
},
{
"source": "secalert@redhat.com",
"url": "http://www.mandriva.com/security/advisories?name=MDVSA-2013:134"
},
{
"source": "secalert@redhat.com",
"url": "http://www.openwall.com/lists/oss-security/2012/06/25/8"
},
{
"source": "secalert@redhat.com",
"url": "http://www.securityfocus.com/bid/54199"
},
{
"source": "secalert@redhat.com",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/76615"
},
{
"source": "secalert@redhat.com",
"url": "https://lwn.net/Articles/505096/"
},
{
"source": "secalert@redhat.com",
"url": "https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-0175"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://osvdb.org/83227"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://viewvc.tigris.org/source/browse/viewvc?view=rev\u0026revision=2758"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.debian.org/security/2012/dsa-2563"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.mandriva.com/security/advisories?name=MDVSA-2013:134"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.openwall.com/lists/oss-security/2012/06/25/8"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securityfocus.com/bid/54199"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/76615"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lwn.net/Articles/505096/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-0175"
}
],
"sourceIdentifier": "secalert@redhat.com",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-200"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2009-5024
Vulnerability from fkie_nvd - Published: 2011-05-23 22:55 - Updated: 2025-04-11 00:51
Severity ?
Summary
ViewVC before 1.1.11 allows remote attackers to bypass the cvsdb row_limit configuration setting, and consequently conduct resource-consumption attacks, via the limit parameter, as demonstrated by a "query revision history" request.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| viewvc | viewvc | * | |
| viewvc | viewvc | 0.8 | |
| viewvc | viewvc | 0.9 | |
| viewvc | viewvc | 0.9.1 | |
| viewvc | viewvc | 0.9.2 | |
| viewvc | viewvc | 0.9.3 | |
| viewvc | viewvc | 0.9.4 | |
| viewvc | viewvc | 1.0.0 | |
| viewvc | viewvc | 1.0.1 | |
| viewvc | viewvc | 1.0.2 | |
| viewvc | viewvc | 1.0.3 | |
| viewvc | viewvc | 1.0.4 | |
| viewvc | viewvc | 1.0.5 | |
| viewvc | viewvc | 1.0.6 | |
| viewvc | viewvc | 1.0.7 | |
| viewvc | viewvc | 1.0.8 | |
| viewvc | viewvc | 1.0.9 | |
| viewvc | viewvc | 1.0.10 | |
| viewvc | viewvc | 1.0.11 | |
| viewvc | viewvc | 1.1.0 | |
| viewvc | viewvc | 1.1.1 | |
| viewvc | viewvc | 1.1.2 | |
| viewvc | viewvc | 1.1.3 | |
| viewvc | viewvc | 1.1.4 | |
| viewvc | viewvc | 1.1.5 | |
| viewvc | viewvc | 1.1.6 | |
| viewvc | viewvc | 1.1.7 | |
| viewvc | viewvc | 1.1.8 | |
| viewvc | viewvc | 1.1.9 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:viewvc:viewvc:*:*:*:*:*:*:*:*",
"matchCriteriaId": "3D91E86E-CC7B-47E5-9880-1E0CB9394D2A",
"versionEndIncluding": "1.1.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:viewvc:viewvc:0.8:*:*:*:*:*:*:*",
"matchCriteriaId": "3DB85009-6655-4288-B06B-18074F69EF67",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:viewvc:viewvc:0.9:*:*:*:*:*:*:*",
"matchCriteriaId": "8344FE80-0BEF-4FE4-A87C-8A03CF83406B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:viewvc:viewvc:0.9.1:*:*:*:*:*:*:*",
"matchCriteriaId": "2C1671BC-6DF0-4FD3-991B-B342E1DA1EB7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:viewvc:viewvc:0.9.2:*:*:*:*:*:*:*",
"matchCriteriaId": "7D01FEFC-DE9B-4CBD-9F3E-C5F37A7FA70C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:viewvc:viewvc:0.9.3:*:*:*:*:*:*:*",
"matchCriteriaId": "67365FF3-29FE-40BD-8986-467AFCDD2210",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:viewvc:viewvc:0.9.4:*:*:*:*:*:*:*",
"matchCriteriaId": "90060F09-83C0-480F-AAF6-5006CD439E7B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:viewvc:viewvc:1.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "59DBEDF6-248F-4850-B50C-61835DB89374",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:viewvc:viewvc:1.0.1:*:*:*:*:*:*:*",
"matchCriteriaId": "007977CF-1BF9-4713-AFDF-50DEE2530AD5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:viewvc:viewvc:1.0.2:*:*:*:*:*:*:*",
"matchCriteriaId": "793F6DB3-A6C2-4813-BD2D-AF34D85F6CCA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:viewvc:viewvc:1.0.3:*:*:*:*:*:*:*",
"matchCriteriaId": "1B6F2BC5-D099-427C-9513-75551ABF1997",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:viewvc:viewvc:1.0.4:*:*:*:*:*:*:*",
"matchCriteriaId": "4748AA05-D2ED-4365-83AE-74CD33592B5D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:viewvc:viewvc:1.0.5:*:*:*:*:*:*:*",
"matchCriteriaId": "91ADB624-1826-405C-BB1E-3D286ED03D5A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:viewvc:viewvc:1.0.6:*:*:*:*:*:*:*",
"matchCriteriaId": "A4AE31C7-1929-48A4-8A3A-860A110E4820",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:viewvc:viewvc:1.0.7:*:*:*:*:*:*:*",
"matchCriteriaId": "F71721BF-9010-4595-96F8-CF499B0FFE6D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:viewvc:viewvc:1.0.8:*:*:*:*:*:*:*",
"matchCriteriaId": "96AD0DD2-206B-4231-B09E-9B83F6E0239E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:viewvc:viewvc:1.0.9:*:*:*:*:*:*:*",
"matchCriteriaId": "2A7F4AAD-EB09-47F1-A7B7-5436E766A0C6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:viewvc:viewvc:1.0.10:*:*:*:*:*:*:*",
"matchCriteriaId": "E0D457A6-C530-42AC-9BCF-640A89D9BF5C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:viewvc:viewvc:1.0.11:*:*:*:*:*:*:*",
"matchCriteriaId": "6AD3EFA7-5B31-453C-8319-8A943C149731",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:viewvc:viewvc:1.1.0:*:*:*:*:*:*:*",
"matchCriteriaId": "8ECD4F7E-011C-4E92-9D8E-AC378B204C05",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:viewvc:viewvc:1.1.1:*:*:*:*:*:*:*",
"matchCriteriaId": "4FE78493-E4EB-4555-BA56-A29AFE680B56",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:viewvc:viewvc:1.1.2:*:*:*:*:*:*:*",
"matchCriteriaId": "C076220E-CFB1-44B0-9884-840F4C5B4F9A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:viewvc:viewvc:1.1.3:*:*:*:*:*:*:*",
"matchCriteriaId": "77350E39-A3A7-463E-BF70-D1BD99F7C23E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:viewvc:viewvc:1.1.4:*:*:*:*:*:*:*",
"matchCriteriaId": "AB57E24E-00A7-4099-8135-64B0E165FEBF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:viewvc:viewvc:1.1.5:*:*:*:*:*:*:*",
"matchCriteriaId": "46A3CC38-5905-40B1-BD8B-EA378D8F5106",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:viewvc:viewvc:1.1.6:*:*:*:*:*:*:*",
"matchCriteriaId": "402EB3C0-3B69-4EF5-8342-1BCC411E8788",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:viewvc:viewvc:1.1.7:*:*:*:*:*:*:*",
"matchCriteriaId": "276B3475-7B55-48CC-8F34-0439AE5B8291",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:viewvc:viewvc:1.1.8:*:*:*:*:*:*:*",
"matchCriteriaId": "14320E94-C5AA-4E5B-8005-C38BD4F9989F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:viewvc:viewvc:1.1.9:*:*:*:*:*:*:*",
"matchCriteriaId": "110D1159-D604-443F-85F8-670570FF7679",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "ViewVC before 1.1.11 allows remote attackers to bypass the cvsdb row_limit configuration setting, and consequently conduct resource-consumption attacks, via the limit parameter, as demonstrated by a \"query revision history\" request."
},
{
"lang": "es",
"value": "ViewVC antes de v1.1.11 permite a atacantes remotos saltar la opci\u00f3n de configuraci\u00f3n de cvsdb que limita el n\u00famero de columnas, y por lo tanto realizar ataques de consumo de recursos, a trav\u00e9s del par\u00e1metro l\u00edmite,como se demuestra con una petici\u00f3n de \"consulta al historial de revisiones\""
}
],
"id": "CVE-2009-5024",
"lastModified": "2025-04-11T00:51:21.963",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 5.0,
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2011-05-23T22:55:01.100",
"references": [
{
"source": "secalert@redhat.com",
"url": "http://openwall.com/lists/oss-security/2011/05/19/1"
},
{
"source": "secalert@redhat.com",
"url": "http://openwall.com/lists/oss-security/2011/05/19/9"
},
{
"source": "secalert@redhat.com",
"url": "http://viewvc.tigris.org/issues/show_bug.cgi?id=433"
},
{
"source": "secalert@redhat.com",
"url": "http://viewvc.tigris.org/source/browse/%2Acheckout%2A/viewvc/tags/1.1.11/CHANGES"
},
{
"source": "secalert@redhat.com",
"url": "http://viewvc.tigris.org/source/browse/viewvc/trunk/lib/cvsdb.py?diff_format=u\u0026view=log#rev2547"
},
{
"source": "secalert@redhat.com",
"tags": [
"Patch"
],
"url": "http://viewvc.tigris.org/source/browse/viewvc/trunk/lib/viewvc.py?diff_format=u\u0026r1=2547\u0026r2=2546\u0026pathrev=2547"
},
{
"source": "secalert@redhat.com",
"url": "http://www.debian.org/security/2012/dsa-2563"
},
{
"source": "secalert@redhat.com",
"url": "http://www.securityfocus.com/bid/47928"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://openwall.com/lists/oss-security/2011/05/19/1"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://openwall.com/lists/oss-security/2011/05/19/9"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://viewvc.tigris.org/issues/show_bug.cgi?id=433"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://viewvc.tigris.org/source/browse/%2Acheckout%2A/viewvc/tags/1.1.11/CHANGES"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://viewvc.tigris.org/source/browse/viewvc/trunk/lib/cvsdb.py?diff_format=u\u0026view=log#rev2547"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "http://viewvc.tigris.org/source/browse/viewvc/trunk/lib/viewvc.py?diff_format=u\u0026r1=2547\u0026r2=2546\u0026pathrev=2547"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.debian.org/security/2012/dsa-2563"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securityfocus.com/bid/47928"
}
],
"sourceIdentifier": "secalert@redhat.com",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-399"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
CVE-2025-54141 (GCVE-0-2025-54141)
Vulnerability from cvelistv5 – Published: 2025-07-22 21:35 – Updated: 2025-07-23 18:31
VLAI?
Summary
ViewVC is a browser interface for CVS and Subversion version control repositories. In versions 1.1.0 through 1.1.31 and 1.2.0 through 1.2.3, the standalone.py script provided in the ViewVC distribution can expose the contents of the host server's filesystem though a directory traversal-style attack. This is fixed in versions 1.1.31 and 1.2.4.
Severity ?
7.5 (High)
CWE
Assigner
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-54141",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-07-23T18:31:23.195289Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-07-23T18:31:31.496Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "viewvc",
"vendor": "viewvc",
"versions": [
{
"status": "affected",
"version": "\u003e= 1.1.0, \u003c 1.1.31"
},
{
"status": "affected",
"version": "\u003e= 1.2.0, \u003c 1.2.4"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "ViewVC is a browser interface for CVS and Subversion version control repositories. In versions 1.1.0 through 1.1.31 and 1.2.0 through 1.2.3, the standalone.py script provided in the ViewVC distribution can expose the contents of the host server\u0027s filesystem though a directory traversal-style attack. This is fixed in versions 1.1.31 and 1.2.4."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-07-22T21:35:47.844Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/viewvc/viewvc/security/advisories/GHSA-rv3m-76rj-q397",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/viewvc/viewvc/security/advisories/GHSA-rv3m-76rj-q397"
},
{
"name": "https://github.com/viewvc/viewvc/issues/211",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/viewvc/viewvc/issues/211"
},
{
"name": "https://github.com/viewvc/viewvc/commit/1dd84542c39b39e4a3f434db84a8ba3441d6a1e7",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/viewvc/viewvc/commit/1dd84542c39b39e4a3f434db84a8ba3441d6a1e7"
},
{
"name": "https://github.com/viewvc/viewvc/commit/5d7c76be07b77dce4ff631e9b866056344f11e84",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/viewvc/viewvc/commit/5d7c76be07b77dce4ff631e9b866056344f11e84"
}
],
"source": {
"advisory": "GHSA-rv3m-76rj-q397",
"discovery": "UNKNOWN"
},
"title": "ViewVC\u0027s standalone server exposes arbitrary server filesystem content"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-54141",
"datePublished": "2025-07-22T21:35:47.844Z",
"dateReserved": "2025-07-16T23:53:40.511Z",
"dateUpdated": "2025-07-23T18:31:31.496Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-22464 (GCVE-0-2023-22464)
Vulnerability from cvelistv5 – Published: 2023-01-04 15:12 – Updated: 2025-03-10 21:32
VLAI?
Summary
ViewVC is a browser interface for CVS and Subversion version control repositories. Versions prior to 1.2.3 and 1.1.30 are vulnerable to cross-site scripting. The impact of this vulnerability is mitigated by the need for an attacker to have commit privileges to a Subversion repository exposed by an otherwise trusted ViewVC instance. The attack vector involves files with unsafe names (names that, when embedded into an HTML stream, would cause the browser to run unwanted code), which themselves can be challenging to create. Users should update to at least version 1.2.3 (if they are using a 1.2.x version of ViewVC) or 1.1.30 (if they are using a 1.1.x version).
ViewVC 1.0.x is no longer supported, so users of that release lineage should implement one of the following workarounds. Users can edit their ViewVC EZT view templates to manually HTML-escape changed path "copyfrom paths" during rendering. Locate in your template set's `revision.ezt` file references to those changed paths, and wrap them with `[format "html"]` and `[end]`. For most users, that means that references to `[changes.copy_path]` will become `[format "html"][changes.copy_path][end]`. (This workaround should be reverted after upgrading to a patched version of ViewVC, else "copyfrom path" names will be doubly escaped.)
Severity ?
5.4 (Medium)
CWE
Assigner
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
Impacted products
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T10:13:48.329Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/viewvc/viewvc/security/advisories/GHSA-jvpj-293q-q53h",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/viewvc/viewvc/security/advisories/GHSA-jvpj-293q-q53h"
},
{
"name": "https://github.com/viewvc/viewvc/issues/311",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/viewvc/viewvc/issues/311"
},
{
"name": "https://github.com/viewvc/viewvc/releases/tag/1.1.30",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/viewvc/viewvc/releases/tag/1.1.30"
},
{
"name": "https://github.com/viewvc/viewvc/releases/tag/1.2.3",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/viewvc/viewvc/releases/tag/1.2.3"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-22464",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-10T21:01:53.705497Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-03-10T21:32:51.391Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "viewvc",
"vendor": "viewvc",
"versions": [
{
"status": "affected",
"version": "\u003c 1.1.30"
},
{
"status": "affected",
"version": "\u003e= 1.2.0, \u003c 1.2.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "ViewVC is a browser interface for CVS and Subversion version control repositories. Versions prior to 1.2.3 and 1.1.30 are vulnerable to cross-site scripting. The impact of this vulnerability is mitigated by the need for an attacker to have commit privileges to a Subversion repository exposed by an otherwise trusted ViewVC instance. The attack vector involves files with unsafe names (names that, when embedded into an HTML stream, would cause the browser to run unwanted code), which themselves can be challenging to create. Users should update to at least version 1.2.3 (if they are using a 1.2.x version of ViewVC) or 1.1.30 (if they are using a 1.1.x version).\n\nViewVC 1.0.x is no longer supported, so users of that release lineage should implement one of the following workarounds. Users can edit their ViewVC EZT view templates to manually HTML-escape changed path \"copyfrom paths\" during rendering. Locate in your template set\u0027s `revision.ezt` file references to those changed paths, and wrap them with `[format \"html\"]` and `[end]`. For most users, that means that references to `[changes.copy_path]` will become `[format \"html\"][changes.copy_path][end]`. (This workaround should be reverted after upgrading to a patched version of ViewVC, else \"copyfrom path\" names will be doubly escaped.)\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-80",
"description": "CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-01-04T15:12:50.980Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/viewvc/viewvc/security/advisories/GHSA-jvpj-293q-q53h",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/viewvc/viewvc/security/advisories/GHSA-jvpj-293q-q53h"
},
{
"name": "https://github.com/viewvc/viewvc/issues/311",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/viewvc/viewvc/issues/311"
},
{
"name": "https://github.com/viewvc/viewvc/releases/tag/1.1.30",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/viewvc/viewvc/releases/tag/1.1.30"
},
{
"name": "https://github.com/viewvc/viewvc/releases/tag/1.2.3",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/viewvc/viewvc/releases/tag/1.2.3"
}
],
"source": {
"advisory": "GHSA-jvpj-293q-q53h",
"discovery": "UNKNOWN"
},
"title": "ViewVC XSS vulnerability in revision view changed path \"copyfrom\" locations"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-22464",
"datePublished": "2023-01-04T15:12:50.980Z",
"dateReserved": "2022-12-29T03:00:40.879Z",
"dateUpdated": "2025-03-10T21:32:51.391Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-22456 (GCVE-0-2023-22456)
Vulnerability from cvelistv5 – Published: 2023-01-03 18:29 – Updated: 2025-03-10 21:33
VLAI?
Summary
ViewVC, a browser interface for CVS and Subversion version control repositories, as a cross-site scripting vulnerability that affects versions prior to 1.2.2 and 1.1.29. The impact of this vulnerability is mitigated by the need for an attacker to have commit privileges to a Subversion repository exposed by an otherwise trusted ViewVC instance. The attack vector involves files with unsafe names (names that, when embedded into an HTML stream, would cause the browser to run unwanted code), which themselves can be challenging to create. Users should update to at least version 1.2.2 (if they are using a 1.2.x version of ViewVC) or 1.1.29 (if they are using a 1.1.x version).
ViewVC 1.0.x is no longer supported, so users of that release lineage should implement a workaround. Users can edit their ViewVC EZT view templates to manually HTML-escape changed paths during rendering. Locate in your template set's `revision.ezt` file references to those changed paths, and wrap them with `[format "html"]` and `[end]`. For most users, that means that references to `[changes.path]` will become `[format "html"][changes.path][end]`. (This workaround should be reverted after upgrading to a patched version of ViewVC, else changed path names will be doubly escaped.)
Severity ?
6.1 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
Impacted products
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T10:13:48.320Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/viewvc/viewvc/security/advisories/GHSA-j4mx-f97j-gc5g",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/viewvc/viewvc/security/advisories/GHSA-j4mx-f97j-gc5g"
},
{
"name": "https://github.com/viewvc/viewvc/issues/311",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/viewvc/viewvc/issues/311"
},
{
"name": "https://github.com/viewvc/viewvc/releases/tag/1.1.29",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/viewvc/viewvc/releases/tag/1.1.29"
},
{
"name": "https://github.com/viewvc/viewvc/releases/tag/1.2.2",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/viewvc/viewvc/releases/tag/1.2.2"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-22456",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-10T21:00:45.571227Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-03-10T21:33:20.040Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "viewvc",
"vendor": "viewvc",
"versions": [
{
"status": "affected",
"version": "\u003c 1.1.29"
},
{
"status": "affected",
"version": "\u003e= 1.2.0, \u003c 1.2.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "ViewVC, a browser interface for CVS and Subversion version control repositories, as a cross-site scripting vulnerability that affects versions prior to 1.2.2 and 1.1.29. The impact of this vulnerability is mitigated by the need for an attacker to have commit privileges to a Subversion repository exposed by an otherwise trusted ViewVC instance. The attack vector involves files with unsafe names (names that, when embedded into an HTML stream, would cause the browser to run unwanted code), which themselves can be challenging to create. Users should update to at least version 1.2.2 (if they are using a 1.2.x version of ViewVC) or 1.1.29 (if they are using a 1.1.x version).\n\nViewVC 1.0.x is no longer supported, so users of that release lineage should implement a workaround. Users can edit their ViewVC EZT view templates to manually HTML-escape changed paths during rendering. Locate in your template set\u0027s `revision.ezt` file references to those changed paths, and wrap them with `[format \"html\"]` and `[end]`. For most users, that means that references to `[changes.path]` will become `[format \"html\"][changes.path][end]`. (This workaround should be reverted after upgrading to a patched version of ViewVC, else changed path names will be doubly escaped.)"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-01-03T18:29:51.262Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/viewvc/viewvc/security/advisories/GHSA-j4mx-f97j-gc5g",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/viewvc/viewvc/security/advisories/GHSA-j4mx-f97j-gc5g"
},
{
"name": "https://github.com/viewvc/viewvc/issues/311",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/viewvc/viewvc/issues/311"
},
{
"name": "https://github.com/viewvc/viewvc/releases/tag/1.1.29",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/viewvc/viewvc/releases/tag/1.1.29"
},
{
"name": "https://github.com/viewvc/viewvc/releases/tag/1.2.2",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/viewvc/viewvc/releases/tag/1.2.2"
}
],
"source": {
"advisory": "GHSA-j4mx-f97j-gc5g",
"discovery": "UNKNOWN"
},
"title": "ViewVC XSS vulnerability in revision view changed paths"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-22456",
"datePublished": "2023-01-03T18:29:51.262Z",
"dateReserved": "2022-12-29T03:00:40.878Z",
"dateUpdated": "2025-03-10T21:33:20.040Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-5283 (GCVE-0-2020-5283)
Vulnerability from cvelistv5 – Published: 2020-04-03 00:10 – Updated: 2024-08-04 08:22
VLAI?
Summary
ViewVC before versions 1.1.28 and 1.2.1 has a XSS vulnerability in CVS show_subdir_lastmod support. The impact of this vulnerability is mitigated by the need for an attacker to have commit privileges to a CVS repository exposed by an otherwise trusted ViewVC instance that also has the `show_subdir_lastmod` feature enabled. The attack vector involves files with unsafe names (names that, when embedded into an HTML stream, would cause the browser to run unwanted code), which themselves can be challenging to create. This vulnerability is patched in versions 1.2.1 and 1.1.28.
Severity ?
CWE
- CWE-80 - Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)
Assigner
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
Impacted products
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T08:22:09.095Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/viewvc/viewvc/security/advisories/GHSA-xpxf-fvqv-7mfg"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/viewvc/viewvc/issues/211"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/viewvc/viewvc/commit/ad0f966e9a997b17d853a6972ea283d4dcd70fa8"
},
{
"name": "FEDORA-2020-c952520959",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2Q2STF2MKT24HXZ3YZIU7CN6F6QM67I5/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "viewvc",
"vendor": "viewvc",
"versions": [
{
"status": "affected",
"version": "\u003c 1.1.28"
},
{
"status": "affected",
"version": "\u003e= 1.2.0, \u003c 1.2.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "ViewVC before versions 1.1.28 and 1.2.1 has a XSS vulnerability in CVS show_subdir_lastmod support. The impact of this vulnerability is mitigated by the need for an attacker to have commit privileges to a CVS repository exposed by an otherwise trusted ViewVC instance that also has the `show_subdir_lastmod` feature enabled. The attack vector involves files with unsafe names (names that, when embedded into an HTML stream, would cause the browser to run unwanted code), which themselves can be challenging to create. This vulnerability is patched in versions 1.2.1 and 1.1.28."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.1,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-80",
"description": "CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-05-15T05:06:08",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/viewvc/viewvc/security/advisories/GHSA-xpxf-fvqv-7mfg"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/viewvc/viewvc/issues/211"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/viewvc/viewvc/commit/ad0f966e9a997b17d853a6972ea283d4dcd70fa8"
},
{
"name": "FEDORA-2020-c952520959",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2Q2STF2MKT24HXZ3YZIU7CN6F6QM67I5/"
}
],
"source": {
"advisory": "GHSA-xpxf-fvqv-7mfg",
"discovery": "UNKNOWN"
},
"title": "XSS vulnerability in CVS show_subdir_lastmod support",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2020-5283",
"STATE": "PUBLIC",
"TITLE": "XSS vulnerability in CVS show_subdir_lastmod support"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "viewvc",
"version": {
"version_data": [
{
"version_value": "\u003c 1.1.28"
},
{
"version_value": "\u003e= 1.2.0, \u003c 1.2.1"
}
]
}
}
]
},
"vendor_name": "viewvc"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "ViewVC before versions 1.1.28 and 1.2.1 has a XSS vulnerability in CVS show_subdir_lastmod support. The impact of this vulnerability is mitigated by the need for an attacker to have commit privileges to a CVS repository exposed by an otherwise trusted ViewVC instance that also has the `show_subdir_lastmod` feature enabled. The attack vector involves files with unsafe names (names that, when embedded into an HTML stream, would cause the browser to run unwanted code), which themselves can be challenging to create. This vulnerability is patched in versions 1.2.1 and 1.1.28."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.1,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/viewvc/viewvc/security/advisories/GHSA-xpxf-fvqv-7mfg",
"refsource": "CONFIRM",
"url": "https://github.com/viewvc/viewvc/security/advisories/GHSA-xpxf-fvqv-7mfg"
},
{
"name": "https://github.com/viewvc/viewvc/issues/211",
"refsource": "MISC",
"url": "https://github.com/viewvc/viewvc/issues/211"
},
{
"name": "https://github.com/viewvc/viewvc/commit/ad0f966e9a997b17d853a6972ea283d4dcd70fa8",
"refsource": "MISC",
"url": "https://github.com/viewvc/viewvc/commit/ad0f966e9a997b17d853a6972ea283d4dcd70fa8"
},
{
"name": "FEDORA-2020-c952520959",
"refsource": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2Q2STF2MKT24HXZ3YZIU7CN6F6QM67I5/"
}
]
},
"source": {
"advisory": "GHSA-xpxf-fvqv-7mfg",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2020-5283",
"datePublished": "2020-04-03T00:10:13",
"dateReserved": "2020-01-02T00:00:00",
"dateUpdated": "2024-08-04T08:22:09.095Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2007-5743 (GCVE-0-2007-5743)
Vulnerability from cvelistv5 – Published: 2019-11-07 21:55 – Updated: 2024-08-07 15:39
VLAI?
Summary
viewvc 1.0.3 allows improper access control to files in a repository when using the "forbidden" configuration option.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-07T15:39:13.620Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://security-tracker.debian.org/tracker/CVE-2007-5743"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=416696"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2007-03-29T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "viewvc 1.0.3 allows improper access control to files in a repository when using the \"forbidden\" configuration option."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-11-07T21:55:32",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://security-tracker.debian.org/tracker/CVE-2007-5743"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=416696"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2007-5743",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "viewvc 1.0.3 allows improper access control to files in a repository when using the \"forbidden\" configuration option."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://security-tracker.debian.org/tracker/CVE-2007-5743",
"refsource": "MISC",
"url": "https://security-tracker.debian.org/tracker/CVE-2007-5743"
},
{
"name": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=416696",
"refsource": "MISC",
"url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=416696"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2007-5743",
"datePublished": "2019-11-07T21:55:32",
"dateReserved": "2007-10-31T00:00:00",
"dateUpdated": "2024-08-07T15:39:13.620Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2017-5938 (GCVE-0-2017-5938)
Vulnerability from cvelistv5 – Published: 2017-03-15 14:00 – Updated: 2024-08-05 15:18
VLAI?
Summary
Cross-site scripting (XSS) vulnerability in the nav_path function in lib/viewvc.py in ViewVC before 1.0.14 and 1.1.x before 1.1.26 allows remote attackers to inject arbitrary web script or HTML via the nav_data name.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T15:18:49.281Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/viewvc/viewvc/releases/tag/1.0.14"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/viewvc/viewvc/issues/137"
},
{
"name": "96185",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/96185"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/viewvc/viewvc/commit/9dcfc7daa4c940992920d3b2fbd317da20e44aad"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/viewvc/viewvc/releases/tag/1.1.26"
},
{
"name": "[oss-security] 20170208 Re: CVE request: XSS in viewvc",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2017/02/09/6"
},
{
"name": "DSA-3784",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN",
"x_transferred"
],
"url": "http://www.debian.org/security/2017/dsa-3784"
},
{
"name": "openSUSE-SU-2017:0501",
"tags": [
"vendor-advisory",
"x_refsource_SUSE",
"x_transferred"
],
"url": "http://lists.opensuse.org/opensuse-updates/2017-02/msg00082.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2017-01-24T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting (XSS) vulnerability in the nav_path function in lib/viewvc.py in ViewVC before 1.0.14 and 1.1.x before 1.1.26 allows remote attackers to inject arbitrary web script or HTML via the nav_data name."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-05-07T20:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/viewvc/viewvc/releases/tag/1.0.14"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/viewvc/viewvc/issues/137"
},
{
"name": "96185",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/96185"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/viewvc/viewvc/commit/9dcfc7daa4c940992920d3b2fbd317da20e44aad"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/viewvc/viewvc/releases/tag/1.1.26"
},
{
"name": "[oss-security] 20170208 Re: CVE request: XSS in viewvc",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2017/02/09/6"
},
{
"name": "DSA-3784",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN"
],
"url": "http://www.debian.org/security/2017/dsa-3784"
},
{
"name": "openSUSE-SU-2017:0501",
"tags": [
"vendor-advisory",
"x_refsource_SUSE"
],
"url": "http://lists.opensuse.org/opensuse-updates/2017-02/msg00082.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2017-5938",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Cross-site scripting (XSS) vulnerability in the nav_path function in lib/viewvc.py in ViewVC before 1.0.14 and 1.1.x before 1.1.26 allows remote attackers to inject arbitrary web script or HTML via the nav_data name."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/viewvc/viewvc/releases/tag/1.0.14",
"refsource": "CONFIRM",
"url": "https://github.com/viewvc/viewvc/releases/tag/1.0.14"
},
{
"name": "https://github.com/viewvc/viewvc/issues/137",
"refsource": "CONFIRM",
"url": "https://github.com/viewvc/viewvc/issues/137"
},
{
"name": "96185",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/96185"
},
{
"name": "https://github.com/viewvc/viewvc/commit/9dcfc7daa4c940992920d3b2fbd317da20e44aad",
"refsource": "CONFIRM",
"url": "https://github.com/viewvc/viewvc/commit/9dcfc7daa4c940992920d3b2fbd317da20e44aad"
},
{
"name": "https://github.com/viewvc/viewvc/releases/tag/1.1.26",
"refsource": "CONFIRM",
"url": "https://github.com/viewvc/viewvc/releases/tag/1.1.26"
},
{
"name": "[oss-security] 20170208 Re: CVE request: XSS in viewvc",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2017/02/09/6"
},
{
"name": "DSA-3784",
"refsource": "DEBIAN",
"url": "http://www.debian.org/security/2017/dsa-3784"
},
{
"name": "openSUSE-SU-2017:0501",
"refsource": "SUSE",
"url": "http://lists.opensuse.org/opensuse-updates/2017-02/msg00082.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2017-5938",
"datePublished": "2017-03-15T14:00:00",
"dateReserved": "2017-02-08T00:00:00",
"dateUpdated": "2024-08-05T15:18:49.281Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2012-4533 (GCVE-0-2012-4533)
Vulnerability from cvelistv5 – Published: 2012-11-19 00:00 – Updated: 2024-08-06 20:42
VLAI?
Summary
Cross-site scripting (XSS) vulnerability in the "extra" details in the DiffSource._get_row function in lib/viewvc.py in ViewVC 1.0.x before 1.0.13 and 1.1.x before 1.1.16 allows remote authenticated users with repository commit access to inject arbitrary web script or HTML via the "function name" line.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T20:42:53.692Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://viewvc.tigris.org/issues/show_bug.cgi?id=515"
},
{
"name": "86566",
"tags": [
"vdb-entry",
"x_refsource_OSVDB",
"x_transferred"
],
"url": "http://osvdb.org/86566"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://viewvc.tigris.org/source/browse/viewvc?view=rev\u0026revision=2794"
},
{
"name": "51041",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/51041"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://viewvc.tigris.org/source/browse/viewvc?view=rev\u0026revision=2792"
},
{
"name": "56161",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/56161"
},
{
"name": "viewvc-viewvc-checkins-xss(79561)",
"tags": [
"vdb-entry",
"x_refsource_XF",
"x_transferred"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/79561"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://viewvc.tigris.org/source/browse/%2Acheckout%2A/viewvc/tags/1.0.13/CHANGES"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=691062"
},
{
"name": "[oss-security] 20121020 Re: CVE Request: viewvc 1.1.5 lib/viewvc.py XSS",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2012/10/21/3"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-0313"
},
{
"name": "MDVSA-2013:134",
"tags": [
"vendor-advisory",
"x_refsource_MANDRIVA",
"x_transferred"
],
"url": "http://www.mandriva.com/security/advisories?name=MDVSA-2013:134"
},
{
"name": "DSA-2563",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN",
"x_transferred"
],
"url": "http://www.debian.org/security/2012/dsa-2563"
},
{
"name": "[oss-security] 20121020 CVE Request: viewvc 1.1.5 lib/viewvc.py XSS",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2012/10/21/2"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://viewvc.tigris.org/source/browse/%2Acheckout%2A/viewvc/tags/1.1.16/CHANGES"
},
{
"name": "51072",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/51072"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2012-10-20T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting (XSS) vulnerability in the \"extra\" details in the DiffSource._get_row function in lib/viewvc.py in ViewVC 1.0.x before 1.0.13 and 1.1.x before 1.1.16 allows remote authenticated users with repository commit access to inject arbitrary web script or HTML via the \"function name\" line."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-08-28T12:57:01",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://viewvc.tigris.org/issues/show_bug.cgi?id=515"
},
{
"name": "86566",
"tags": [
"vdb-entry",
"x_refsource_OSVDB"
],
"url": "http://osvdb.org/86566"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://viewvc.tigris.org/source/browse/viewvc?view=rev\u0026revision=2794"
},
{
"name": "51041",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/51041"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://viewvc.tigris.org/source/browse/viewvc?view=rev\u0026revision=2792"
},
{
"name": "56161",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/56161"
},
{
"name": "viewvc-viewvc-checkins-xss(79561)",
"tags": [
"vdb-entry",
"x_refsource_XF"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/79561"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://viewvc.tigris.org/source/browse/%2Acheckout%2A/viewvc/tags/1.0.13/CHANGES"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=691062"
},
{
"name": "[oss-security] 20121020 Re: CVE Request: viewvc 1.1.5 lib/viewvc.py XSS",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2012/10/21/3"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-0313"
},
{
"name": "MDVSA-2013:134",
"tags": [
"vendor-advisory",
"x_refsource_MANDRIVA"
],
"url": "http://www.mandriva.com/security/advisories?name=MDVSA-2013:134"
},
{
"name": "DSA-2563",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN"
],
"url": "http://www.debian.org/security/2012/dsa-2563"
},
{
"name": "[oss-security] 20121020 CVE Request: viewvc 1.1.5 lib/viewvc.py XSS",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2012/10/21/2"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://viewvc.tigris.org/source/browse/%2Acheckout%2A/viewvc/tags/1.1.16/CHANGES"
},
{
"name": "51072",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/51072"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2012-4533",
"datePublished": "2012-11-19T00:00:00",
"dateReserved": "2012-08-21T00:00:00",
"dateUpdated": "2024-08-06T20:42:53.692Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2012-3357 (GCVE-0-2012-3357)
Vulnerability from cvelistv5 – Published: 2012-07-22 16:00 – Updated: 2024-08-06 20:05
VLAI?
Summary
The SVN revision view (lib/vclib/svn/svn_repos.py) in ViewVC before 1.1.15 does not properly handle log messages when a readable path is copied from an unreadable path, which allows remote attackers to obtain sensitive information, related to a "log msg leak."
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | ||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T20:05:12.106Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "[oss-security] 20120625 Re: CVE Request: viewvc",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2012/06/25/8"
},
{
"name": "viewvc-svnra-info-disclosure(76615)",
"tags": [
"vdb-entry",
"x_refsource_XF",
"x_transferred"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/76615"
},
{
"name": "54199",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/54199"
},
{
"name": "openSUSE-SU-2012:0831",
"tags": [
"vendor-advisory",
"x_refsource_SUSE",
"x_transferred"
],
"url": "https://lwn.net/Articles/505096/"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-0175"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://viewvc.tigris.org/source/browse/viewvc?view=rev\u0026revision=2758"
},
{
"name": "83227",
"tags": [
"vdb-entry",
"x_refsource_OSVDB",
"x_transferred"
],
"url": "http://osvdb.org/83227"
},
{
"name": "MDVSA-2013:134",
"tags": [
"vendor-advisory",
"x_refsource_MANDRIVA",
"x_transferred"
],
"url": "http://www.mandriva.com/security/advisories?name=MDVSA-2013:134"
},
{
"name": "DSA-2563",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN",
"x_transferred"
],
"url": "http://www.debian.org/security/2012/dsa-2563"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2012-06-22T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "The SVN revision view (lib/vclib/svn/svn_repos.py) in ViewVC before 1.1.15 does not properly handle log messages when a readable path is copied from an unreadable path, which allows remote attackers to obtain sensitive information, related to a \"log msg leak.\""
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-08-28T12:57:01",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"name": "[oss-security] 20120625 Re: CVE Request: viewvc",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2012/06/25/8"
},
{
"name": "viewvc-svnra-info-disclosure(76615)",
"tags": [
"vdb-entry",
"x_refsource_XF"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/76615"
},
{
"name": "54199",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/54199"
},
{
"name": "openSUSE-SU-2012:0831",
"tags": [
"vendor-advisory",
"x_refsource_SUSE"
],
"url": "https://lwn.net/Articles/505096/"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-0175"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://viewvc.tigris.org/source/browse/viewvc?view=rev\u0026revision=2758"
},
{
"name": "83227",
"tags": [
"vdb-entry",
"x_refsource_OSVDB"
],
"url": "http://osvdb.org/83227"
},
{
"name": "MDVSA-2013:134",
"tags": [
"vendor-advisory",
"x_refsource_MANDRIVA"
],
"url": "http://www.mandriva.com/security/advisories?name=MDVSA-2013:134"
},
{
"name": "DSA-2563",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN"
],
"url": "http://www.debian.org/security/2012/dsa-2563"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2012-3357",
"datePublished": "2012-07-22T16:00:00",
"dateReserved": "2012-06-14T00:00:00",
"dateUpdated": "2024-08-06T20:05:12.106Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2012-3356 (GCVE-0-2012-3356)
Vulnerability from cvelistv5 – Published: 2012-07-22 16:00 – Updated: 2024-08-06 20:05
VLAI?
Summary
The remote SVN views functionality (lib/vclib/svn/svn_ra.py) in ViewVC before 1.1.15 does not properly perform authorization, which allows remote attackers to bypass intended access restrictions via unspecified vectors.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | ||||||||||||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||||||||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T20:05:11.626Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "[oss-security] 20120625 Re: CVE Request: viewvc",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2012/06/25/8"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://viewvc.tigris.org/source/browse/viewvc?view=rev\u0026revision=2760"
},
{
"name": "54197",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/54197"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://viewvc.tigris.org/source/browse/%2Acheckout%2A/viewvc/tags/1.1.15/CHANGES"
},
{
"name": "viewvc-svnra-security-bypass(76614)",
"tags": [
"vdb-entry",
"x_refsource_XF",
"x_transferred"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/76614"
},
{
"name": "83225",
"tags": [
"vdb-entry",
"x_refsource_OSVDB",
"x_transferred"
],
"url": "http://osvdb.org/83225"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://viewvc.tigris.org/source/browse/viewvc?view=rev\u0026revision=2755"
},
{
"name": "openSUSE-SU-2012:0831",
"tags": [
"vendor-advisory",
"x_refsource_SUSE",
"x_transferred"
],
"url": "https://lwn.net/Articles/505096/"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://viewvc.tigris.org/source/browse/viewvc?view=rev\u0026revision=2759"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://viewvc.tigris.org/source/browse/viewvc?view=rev\u0026revision=2757"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-0175"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://viewvc.tigris.org/source/browse/viewvc?view=rev\u0026revision=2756"
},
{
"name": "MDVSA-2013:134",
"tags": [
"vendor-advisory",
"x_refsource_MANDRIVA",
"x_transferred"
],
"url": "http://www.mandriva.com/security/advisories?name=MDVSA-2013:134"
},
{
"name": "DSA-2563",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN",
"x_transferred"
],
"url": "http://www.debian.org/security/2012/dsa-2563"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://viewvc.tigris.org/issues/show_bug.cgi?id=353"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2012-06-22T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "The remote SVN views functionality (lib/vclib/svn/svn_ra.py) in ViewVC before 1.1.15 does not properly perform authorization, which allows remote attackers to bypass intended access restrictions via unspecified vectors."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-08-28T12:57:01",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"name": "[oss-security] 20120625 Re: CVE Request: viewvc",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2012/06/25/8"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://viewvc.tigris.org/source/browse/viewvc?view=rev\u0026revision=2760"
},
{
"name": "54197",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/54197"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://viewvc.tigris.org/source/browse/%2Acheckout%2A/viewvc/tags/1.1.15/CHANGES"
},
{
"name": "viewvc-svnra-security-bypass(76614)",
"tags": [
"vdb-entry",
"x_refsource_XF"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/76614"
},
{
"name": "83225",
"tags": [
"vdb-entry",
"x_refsource_OSVDB"
],
"url": "http://osvdb.org/83225"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://viewvc.tigris.org/source/browse/viewvc?view=rev\u0026revision=2755"
},
{
"name": "openSUSE-SU-2012:0831",
"tags": [
"vendor-advisory",
"x_refsource_SUSE"
],
"url": "https://lwn.net/Articles/505096/"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://viewvc.tigris.org/source/browse/viewvc?view=rev\u0026revision=2759"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://viewvc.tigris.org/source/browse/viewvc?view=rev\u0026revision=2757"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-0175"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://viewvc.tigris.org/source/browse/viewvc?view=rev\u0026revision=2756"
},
{
"name": "MDVSA-2013:134",
"tags": [
"vendor-advisory",
"x_refsource_MANDRIVA"
],
"url": "http://www.mandriva.com/security/advisories?name=MDVSA-2013:134"
},
{
"name": "DSA-2563",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN"
],
"url": "http://www.debian.org/security/2012/dsa-2563"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://viewvc.tigris.org/issues/show_bug.cgi?id=353"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2012-3356",
"datePublished": "2012-07-22T16:00:00",
"dateReserved": "2012-06-14T00:00:00",
"dateUpdated": "2024-08-06T20:05:11.626Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2009-5024 (GCVE-0-2009-5024)
Vulnerability from cvelistv5 – Published: 2011-05-23 22:00 – Updated: 2024-08-07 07:24
VLAI?
Summary
ViewVC before 1.1.11 allows remote attackers to bypass the cvsdb row_limit configuration setting, and consequently conduct resource-consumption attacks, via the limit parameter, as demonstrated by a "query revision history" request.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-07T07:24:53.699Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "47928",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/47928"
},
{
"name": "[oss-security] 20110519 Re: CVE Request: viewvc DoS",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://openwall.com/lists/oss-security/2011/05/19/9"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://viewvc.tigris.org/issues/show_bug.cgi?id=433"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://viewvc.tigris.org/source/browse/viewvc/trunk/lib/viewvc.py?diff_format=u\u0026r1=2547\u0026r2=2546\u0026pathrev=2547"
},
{
"name": "[oss-security] 20110519 CVE Request: viewvc DoS",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://openwall.com/lists/oss-security/2011/05/19/1"
},
{
"name": "DSA-2563",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN",
"x_transferred"
],
"url": "http://www.debian.org/security/2012/dsa-2563"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://viewvc.tigris.org/source/browse/%2Acheckout%2A/viewvc/tags/1.1.11/CHANGES"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://viewvc.tigris.org/source/browse/viewvc/trunk/lib/cvsdb.py?diff_format=u\u0026view=log#rev2547"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2009-11-18T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "ViewVC before 1.1.11 allows remote attackers to bypass the cvsdb row_limit configuration setting, and consequently conduct resource-consumption attacks, via the limit parameter, as demonstrated by a \"query revision history\" request."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2012-11-20T10:00:00",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"name": "47928",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/47928"
},
{
"name": "[oss-security] 20110519 Re: CVE Request: viewvc DoS",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://openwall.com/lists/oss-security/2011/05/19/9"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://viewvc.tigris.org/issues/show_bug.cgi?id=433"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://viewvc.tigris.org/source/browse/viewvc/trunk/lib/viewvc.py?diff_format=u\u0026r1=2547\u0026r2=2546\u0026pathrev=2547"
},
{
"name": "[oss-security] 20110519 CVE Request: viewvc DoS",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://openwall.com/lists/oss-security/2011/05/19/1"
},
{
"name": "DSA-2563",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN"
],
"url": "http://www.debian.org/security/2012/dsa-2563"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://viewvc.tigris.org/source/browse/%2Acheckout%2A/viewvc/tags/1.1.11/CHANGES"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://viewvc.tigris.org/source/browse/viewvc/trunk/lib/cvsdb.py?diff_format=u\u0026view=log#rev2547"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "secalert@redhat.com",
"ID": "CVE-2009-5024",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "ViewVC before 1.1.11 allows remote attackers to bypass the cvsdb row_limit configuration setting, and consequently conduct resource-consumption attacks, via the limit parameter, as demonstrated by a \"query revision history\" request."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "47928",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/47928"
},
{
"name": "[oss-security] 20110519 Re: CVE Request: viewvc DoS",
"refsource": "MLIST",
"url": "http://openwall.com/lists/oss-security/2011/05/19/9"
},
{
"name": "http://viewvc.tigris.org/issues/show_bug.cgi?id=433",
"refsource": "CONFIRM",
"url": "http://viewvc.tigris.org/issues/show_bug.cgi?id=433"
},
{
"name": "http://viewvc.tigris.org/source/browse/viewvc/trunk/lib/viewvc.py?diff_format=u\u0026r1=2547\u0026r2=2546\u0026pathrev=2547",
"refsource": "CONFIRM",
"url": "http://viewvc.tigris.org/source/browse/viewvc/trunk/lib/viewvc.py?diff_format=u\u0026r1=2547\u0026r2=2546\u0026pathrev=2547"
},
{
"name": "[oss-security] 20110519 CVE Request: viewvc DoS",
"refsource": "MLIST",
"url": "http://openwall.com/lists/oss-security/2011/05/19/1"
},
{
"name": "DSA-2563",
"refsource": "DEBIAN",
"url": "http://www.debian.org/security/2012/dsa-2563"
},
{
"name": "http://viewvc.tigris.org/source/browse/*checkout*/viewvc/tags/1.1.11/CHANGES",
"refsource": "CONFIRM",
"url": "http://viewvc.tigris.org/source/browse/*checkout*/viewvc/tags/1.1.11/CHANGES"
},
{
"name": "http://viewvc.tigris.org/source/browse/viewvc/trunk/lib/cvsdb.py?diff_format=u\u0026view=log#rev2547",
"refsource": "CONFIRM",
"url": "http://viewvc.tigris.org/source/browse/viewvc/trunk/lib/cvsdb.py?diff_format=u\u0026view=log#rev2547"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2009-5024",
"datePublished": "2011-05-23T22:00:00",
"dateReserved": "2010-12-09T00:00:00",
"dateUpdated": "2024-08-07T07:24:53.699Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-54141 (GCVE-0-2025-54141)
Vulnerability from nvd – Published: 2025-07-22 21:35 – Updated: 2025-07-23 18:31
VLAI?
Summary
ViewVC is a browser interface for CVS and Subversion version control repositories. In versions 1.1.0 through 1.1.31 and 1.2.0 through 1.2.3, the standalone.py script provided in the ViewVC distribution can expose the contents of the host server's filesystem though a directory traversal-style attack. This is fixed in versions 1.1.31 and 1.2.4.
Severity ?
7.5 (High)
CWE
Assigner
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-54141",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-07-23T18:31:23.195289Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-07-23T18:31:31.496Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "viewvc",
"vendor": "viewvc",
"versions": [
{
"status": "affected",
"version": "\u003e= 1.1.0, \u003c 1.1.31"
},
{
"status": "affected",
"version": "\u003e= 1.2.0, \u003c 1.2.4"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "ViewVC is a browser interface for CVS and Subversion version control repositories. In versions 1.1.0 through 1.1.31 and 1.2.0 through 1.2.3, the standalone.py script provided in the ViewVC distribution can expose the contents of the host server\u0027s filesystem though a directory traversal-style attack. This is fixed in versions 1.1.31 and 1.2.4."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-07-22T21:35:47.844Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/viewvc/viewvc/security/advisories/GHSA-rv3m-76rj-q397",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/viewvc/viewvc/security/advisories/GHSA-rv3m-76rj-q397"
},
{
"name": "https://github.com/viewvc/viewvc/issues/211",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/viewvc/viewvc/issues/211"
},
{
"name": "https://github.com/viewvc/viewvc/commit/1dd84542c39b39e4a3f434db84a8ba3441d6a1e7",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/viewvc/viewvc/commit/1dd84542c39b39e4a3f434db84a8ba3441d6a1e7"
},
{
"name": "https://github.com/viewvc/viewvc/commit/5d7c76be07b77dce4ff631e9b866056344f11e84",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/viewvc/viewvc/commit/5d7c76be07b77dce4ff631e9b866056344f11e84"
}
],
"source": {
"advisory": "GHSA-rv3m-76rj-q397",
"discovery": "UNKNOWN"
},
"title": "ViewVC\u0027s standalone server exposes arbitrary server filesystem content"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-54141",
"datePublished": "2025-07-22T21:35:47.844Z",
"dateReserved": "2025-07-16T23:53:40.511Z",
"dateUpdated": "2025-07-23T18:31:31.496Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-22464 (GCVE-0-2023-22464)
Vulnerability from nvd – Published: 2023-01-04 15:12 – Updated: 2025-03-10 21:32
VLAI?
Summary
ViewVC is a browser interface for CVS and Subversion version control repositories. Versions prior to 1.2.3 and 1.1.30 are vulnerable to cross-site scripting. The impact of this vulnerability is mitigated by the need for an attacker to have commit privileges to a Subversion repository exposed by an otherwise trusted ViewVC instance. The attack vector involves files with unsafe names (names that, when embedded into an HTML stream, would cause the browser to run unwanted code), which themselves can be challenging to create. Users should update to at least version 1.2.3 (if they are using a 1.2.x version of ViewVC) or 1.1.30 (if they are using a 1.1.x version).
ViewVC 1.0.x is no longer supported, so users of that release lineage should implement one of the following workarounds. Users can edit their ViewVC EZT view templates to manually HTML-escape changed path "copyfrom paths" during rendering. Locate in your template set's `revision.ezt` file references to those changed paths, and wrap them with `[format "html"]` and `[end]`. For most users, that means that references to `[changes.copy_path]` will become `[format "html"][changes.copy_path][end]`. (This workaround should be reverted after upgrading to a patched version of ViewVC, else "copyfrom path" names will be doubly escaped.)
Severity ?
5.4 (Medium)
CWE
Assigner
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
Impacted products
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T10:13:48.329Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/viewvc/viewvc/security/advisories/GHSA-jvpj-293q-q53h",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/viewvc/viewvc/security/advisories/GHSA-jvpj-293q-q53h"
},
{
"name": "https://github.com/viewvc/viewvc/issues/311",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/viewvc/viewvc/issues/311"
},
{
"name": "https://github.com/viewvc/viewvc/releases/tag/1.1.30",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/viewvc/viewvc/releases/tag/1.1.30"
},
{
"name": "https://github.com/viewvc/viewvc/releases/tag/1.2.3",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/viewvc/viewvc/releases/tag/1.2.3"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-22464",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-10T21:01:53.705497Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-03-10T21:32:51.391Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "viewvc",
"vendor": "viewvc",
"versions": [
{
"status": "affected",
"version": "\u003c 1.1.30"
},
{
"status": "affected",
"version": "\u003e= 1.2.0, \u003c 1.2.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "ViewVC is a browser interface for CVS and Subversion version control repositories. Versions prior to 1.2.3 and 1.1.30 are vulnerable to cross-site scripting. The impact of this vulnerability is mitigated by the need for an attacker to have commit privileges to a Subversion repository exposed by an otherwise trusted ViewVC instance. The attack vector involves files with unsafe names (names that, when embedded into an HTML stream, would cause the browser to run unwanted code), which themselves can be challenging to create. Users should update to at least version 1.2.3 (if they are using a 1.2.x version of ViewVC) or 1.1.30 (if they are using a 1.1.x version).\n\nViewVC 1.0.x is no longer supported, so users of that release lineage should implement one of the following workarounds. Users can edit their ViewVC EZT view templates to manually HTML-escape changed path \"copyfrom paths\" during rendering. Locate in your template set\u0027s `revision.ezt` file references to those changed paths, and wrap them with `[format \"html\"]` and `[end]`. For most users, that means that references to `[changes.copy_path]` will become `[format \"html\"][changes.copy_path][end]`. (This workaround should be reverted after upgrading to a patched version of ViewVC, else \"copyfrom path\" names will be doubly escaped.)\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-80",
"description": "CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-01-04T15:12:50.980Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/viewvc/viewvc/security/advisories/GHSA-jvpj-293q-q53h",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/viewvc/viewvc/security/advisories/GHSA-jvpj-293q-q53h"
},
{
"name": "https://github.com/viewvc/viewvc/issues/311",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/viewvc/viewvc/issues/311"
},
{
"name": "https://github.com/viewvc/viewvc/releases/tag/1.1.30",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/viewvc/viewvc/releases/tag/1.1.30"
},
{
"name": "https://github.com/viewvc/viewvc/releases/tag/1.2.3",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/viewvc/viewvc/releases/tag/1.2.3"
}
],
"source": {
"advisory": "GHSA-jvpj-293q-q53h",
"discovery": "UNKNOWN"
},
"title": "ViewVC XSS vulnerability in revision view changed path \"copyfrom\" locations"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-22464",
"datePublished": "2023-01-04T15:12:50.980Z",
"dateReserved": "2022-12-29T03:00:40.879Z",
"dateUpdated": "2025-03-10T21:32:51.391Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-22456 (GCVE-0-2023-22456)
Vulnerability from nvd – Published: 2023-01-03 18:29 – Updated: 2025-03-10 21:33
VLAI?
Summary
ViewVC, a browser interface for CVS and Subversion version control repositories, as a cross-site scripting vulnerability that affects versions prior to 1.2.2 and 1.1.29. The impact of this vulnerability is mitigated by the need for an attacker to have commit privileges to a Subversion repository exposed by an otherwise trusted ViewVC instance. The attack vector involves files with unsafe names (names that, when embedded into an HTML stream, would cause the browser to run unwanted code), which themselves can be challenging to create. Users should update to at least version 1.2.2 (if they are using a 1.2.x version of ViewVC) or 1.1.29 (if they are using a 1.1.x version).
ViewVC 1.0.x is no longer supported, so users of that release lineage should implement a workaround. Users can edit their ViewVC EZT view templates to manually HTML-escape changed paths during rendering. Locate in your template set's `revision.ezt` file references to those changed paths, and wrap them with `[format "html"]` and `[end]`. For most users, that means that references to `[changes.path]` will become `[format "html"][changes.path][end]`. (This workaround should be reverted after upgrading to a patched version of ViewVC, else changed path names will be doubly escaped.)
Severity ?
6.1 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
Impacted products
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T10:13:48.320Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/viewvc/viewvc/security/advisories/GHSA-j4mx-f97j-gc5g",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/viewvc/viewvc/security/advisories/GHSA-j4mx-f97j-gc5g"
},
{
"name": "https://github.com/viewvc/viewvc/issues/311",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/viewvc/viewvc/issues/311"
},
{
"name": "https://github.com/viewvc/viewvc/releases/tag/1.1.29",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/viewvc/viewvc/releases/tag/1.1.29"
},
{
"name": "https://github.com/viewvc/viewvc/releases/tag/1.2.2",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/viewvc/viewvc/releases/tag/1.2.2"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-22456",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-10T21:00:45.571227Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-03-10T21:33:20.040Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "viewvc",
"vendor": "viewvc",
"versions": [
{
"status": "affected",
"version": "\u003c 1.1.29"
},
{
"status": "affected",
"version": "\u003e= 1.2.0, \u003c 1.2.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "ViewVC, a browser interface for CVS and Subversion version control repositories, as a cross-site scripting vulnerability that affects versions prior to 1.2.2 and 1.1.29. The impact of this vulnerability is mitigated by the need for an attacker to have commit privileges to a Subversion repository exposed by an otherwise trusted ViewVC instance. The attack vector involves files with unsafe names (names that, when embedded into an HTML stream, would cause the browser to run unwanted code), which themselves can be challenging to create. Users should update to at least version 1.2.2 (if they are using a 1.2.x version of ViewVC) or 1.1.29 (if they are using a 1.1.x version).\n\nViewVC 1.0.x is no longer supported, so users of that release lineage should implement a workaround. Users can edit their ViewVC EZT view templates to manually HTML-escape changed paths during rendering. Locate in your template set\u0027s `revision.ezt` file references to those changed paths, and wrap them with `[format \"html\"]` and `[end]`. For most users, that means that references to `[changes.path]` will become `[format \"html\"][changes.path][end]`. (This workaround should be reverted after upgrading to a patched version of ViewVC, else changed path names will be doubly escaped.)"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-01-03T18:29:51.262Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/viewvc/viewvc/security/advisories/GHSA-j4mx-f97j-gc5g",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/viewvc/viewvc/security/advisories/GHSA-j4mx-f97j-gc5g"
},
{
"name": "https://github.com/viewvc/viewvc/issues/311",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/viewvc/viewvc/issues/311"
},
{
"name": "https://github.com/viewvc/viewvc/releases/tag/1.1.29",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/viewvc/viewvc/releases/tag/1.1.29"
},
{
"name": "https://github.com/viewvc/viewvc/releases/tag/1.2.2",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/viewvc/viewvc/releases/tag/1.2.2"
}
],
"source": {
"advisory": "GHSA-j4mx-f97j-gc5g",
"discovery": "UNKNOWN"
},
"title": "ViewVC XSS vulnerability in revision view changed paths"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-22456",
"datePublished": "2023-01-03T18:29:51.262Z",
"dateReserved": "2022-12-29T03:00:40.878Z",
"dateUpdated": "2025-03-10T21:33:20.040Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-5283 (GCVE-0-2020-5283)
Vulnerability from nvd – Published: 2020-04-03 00:10 – Updated: 2024-08-04 08:22
VLAI?
Summary
ViewVC before versions 1.1.28 and 1.2.1 has a XSS vulnerability in CVS show_subdir_lastmod support. The impact of this vulnerability is mitigated by the need for an attacker to have commit privileges to a CVS repository exposed by an otherwise trusted ViewVC instance that also has the `show_subdir_lastmod` feature enabled. The attack vector involves files with unsafe names (names that, when embedded into an HTML stream, would cause the browser to run unwanted code), which themselves can be challenging to create. This vulnerability is patched in versions 1.2.1 and 1.1.28.
Severity ?
CWE
- CWE-80 - Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)
Assigner
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
Impacted products
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T08:22:09.095Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/viewvc/viewvc/security/advisories/GHSA-xpxf-fvqv-7mfg"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/viewvc/viewvc/issues/211"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/viewvc/viewvc/commit/ad0f966e9a997b17d853a6972ea283d4dcd70fa8"
},
{
"name": "FEDORA-2020-c952520959",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2Q2STF2MKT24HXZ3YZIU7CN6F6QM67I5/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "viewvc",
"vendor": "viewvc",
"versions": [
{
"status": "affected",
"version": "\u003c 1.1.28"
},
{
"status": "affected",
"version": "\u003e= 1.2.0, \u003c 1.2.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "ViewVC before versions 1.1.28 and 1.2.1 has a XSS vulnerability in CVS show_subdir_lastmod support. The impact of this vulnerability is mitigated by the need for an attacker to have commit privileges to a CVS repository exposed by an otherwise trusted ViewVC instance that also has the `show_subdir_lastmod` feature enabled. The attack vector involves files with unsafe names (names that, when embedded into an HTML stream, would cause the browser to run unwanted code), which themselves can be challenging to create. This vulnerability is patched in versions 1.2.1 and 1.1.28."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.1,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-80",
"description": "CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-05-15T05:06:08",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/viewvc/viewvc/security/advisories/GHSA-xpxf-fvqv-7mfg"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/viewvc/viewvc/issues/211"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/viewvc/viewvc/commit/ad0f966e9a997b17d853a6972ea283d4dcd70fa8"
},
{
"name": "FEDORA-2020-c952520959",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2Q2STF2MKT24HXZ3YZIU7CN6F6QM67I5/"
}
],
"source": {
"advisory": "GHSA-xpxf-fvqv-7mfg",
"discovery": "UNKNOWN"
},
"title": "XSS vulnerability in CVS show_subdir_lastmod support",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2020-5283",
"STATE": "PUBLIC",
"TITLE": "XSS vulnerability in CVS show_subdir_lastmod support"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "viewvc",
"version": {
"version_data": [
{
"version_value": "\u003c 1.1.28"
},
{
"version_value": "\u003e= 1.2.0, \u003c 1.2.1"
}
]
}
}
]
},
"vendor_name": "viewvc"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "ViewVC before versions 1.1.28 and 1.2.1 has a XSS vulnerability in CVS show_subdir_lastmod support. The impact of this vulnerability is mitigated by the need for an attacker to have commit privileges to a CVS repository exposed by an otherwise trusted ViewVC instance that also has the `show_subdir_lastmod` feature enabled. The attack vector involves files with unsafe names (names that, when embedded into an HTML stream, would cause the browser to run unwanted code), which themselves can be challenging to create. This vulnerability is patched in versions 1.2.1 and 1.1.28."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.1,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/viewvc/viewvc/security/advisories/GHSA-xpxf-fvqv-7mfg",
"refsource": "CONFIRM",
"url": "https://github.com/viewvc/viewvc/security/advisories/GHSA-xpxf-fvqv-7mfg"
},
{
"name": "https://github.com/viewvc/viewvc/issues/211",
"refsource": "MISC",
"url": "https://github.com/viewvc/viewvc/issues/211"
},
{
"name": "https://github.com/viewvc/viewvc/commit/ad0f966e9a997b17d853a6972ea283d4dcd70fa8",
"refsource": "MISC",
"url": "https://github.com/viewvc/viewvc/commit/ad0f966e9a997b17d853a6972ea283d4dcd70fa8"
},
{
"name": "FEDORA-2020-c952520959",
"refsource": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2Q2STF2MKT24HXZ3YZIU7CN6F6QM67I5/"
}
]
},
"source": {
"advisory": "GHSA-xpxf-fvqv-7mfg",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2020-5283",
"datePublished": "2020-04-03T00:10:13",
"dateReserved": "2020-01-02T00:00:00",
"dateUpdated": "2024-08-04T08:22:09.095Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2007-5743 (GCVE-0-2007-5743)
Vulnerability from nvd – Published: 2019-11-07 21:55 – Updated: 2024-08-07 15:39
VLAI?
Summary
viewvc 1.0.3 allows improper access control to files in a repository when using the "forbidden" configuration option.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-07T15:39:13.620Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://security-tracker.debian.org/tracker/CVE-2007-5743"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=416696"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2007-03-29T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "viewvc 1.0.3 allows improper access control to files in a repository when using the \"forbidden\" configuration option."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-11-07T21:55:32",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://security-tracker.debian.org/tracker/CVE-2007-5743"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=416696"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2007-5743",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "viewvc 1.0.3 allows improper access control to files in a repository when using the \"forbidden\" configuration option."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://security-tracker.debian.org/tracker/CVE-2007-5743",
"refsource": "MISC",
"url": "https://security-tracker.debian.org/tracker/CVE-2007-5743"
},
{
"name": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=416696",
"refsource": "MISC",
"url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=416696"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2007-5743",
"datePublished": "2019-11-07T21:55:32",
"dateReserved": "2007-10-31T00:00:00",
"dateUpdated": "2024-08-07T15:39:13.620Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2017-5938 (GCVE-0-2017-5938)
Vulnerability from nvd – Published: 2017-03-15 14:00 – Updated: 2024-08-05 15:18
VLAI?
Summary
Cross-site scripting (XSS) vulnerability in the nav_path function in lib/viewvc.py in ViewVC before 1.0.14 and 1.1.x before 1.1.26 allows remote attackers to inject arbitrary web script or HTML via the nav_data name.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T15:18:49.281Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/viewvc/viewvc/releases/tag/1.0.14"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/viewvc/viewvc/issues/137"
},
{
"name": "96185",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/96185"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/viewvc/viewvc/commit/9dcfc7daa4c940992920d3b2fbd317da20e44aad"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/viewvc/viewvc/releases/tag/1.1.26"
},
{
"name": "[oss-security] 20170208 Re: CVE request: XSS in viewvc",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2017/02/09/6"
},
{
"name": "DSA-3784",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN",
"x_transferred"
],
"url": "http://www.debian.org/security/2017/dsa-3784"
},
{
"name": "openSUSE-SU-2017:0501",
"tags": [
"vendor-advisory",
"x_refsource_SUSE",
"x_transferred"
],
"url": "http://lists.opensuse.org/opensuse-updates/2017-02/msg00082.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2017-01-24T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting (XSS) vulnerability in the nav_path function in lib/viewvc.py in ViewVC before 1.0.14 and 1.1.x before 1.1.26 allows remote attackers to inject arbitrary web script or HTML via the nav_data name."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-05-07T20:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/viewvc/viewvc/releases/tag/1.0.14"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/viewvc/viewvc/issues/137"
},
{
"name": "96185",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/96185"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/viewvc/viewvc/commit/9dcfc7daa4c940992920d3b2fbd317da20e44aad"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/viewvc/viewvc/releases/tag/1.1.26"
},
{
"name": "[oss-security] 20170208 Re: CVE request: XSS in viewvc",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2017/02/09/6"
},
{
"name": "DSA-3784",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN"
],
"url": "http://www.debian.org/security/2017/dsa-3784"
},
{
"name": "openSUSE-SU-2017:0501",
"tags": [
"vendor-advisory",
"x_refsource_SUSE"
],
"url": "http://lists.opensuse.org/opensuse-updates/2017-02/msg00082.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2017-5938",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Cross-site scripting (XSS) vulnerability in the nav_path function in lib/viewvc.py in ViewVC before 1.0.14 and 1.1.x before 1.1.26 allows remote attackers to inject arbitrary web script or HTML via the nav_data name."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/viewvc/viewvc/releases/tag/1.0.14",
"refsource": "CONFIRM",
"url": "https://github.com/viewvc/viewvc/releases/tag/1.0.14"
},
{
"name": "https://github.com/viewvc/viewvc/issues/137",
"refsource": "CONFIRM",
"url": "https://github.com/viewvc/viewvc/issues/137"
},
{
"name": "96185",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/96185"
},
{
"name": "https://github.com/viewvc/viewvc/commit/9dcfc7daa4c940992920d3b2fbd317da20e44aad",
"refsource": "CONFIRM",
"url": "https://github.com/viewvc/viewvc/commit/9dcfc7daa4c940992920d3b2fbd317da20e44aad"
},
{
"name": "https://github.com/viewvc/viewvc/releases/tag/1.1.26",
"refsource": "CONFIRM",
"url": "https://github.com/viewvc/viewvc/releases/tag/1.1.26"
},
{
"name": "[oss-security] 20170208 Re: CVE request: XSS in viewvc",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2017/02/09/6"
},
{
"name": "DSA-3784",
"refsource": "DEBIAN",
"url": "http://www.debian.org/security/2017/dsa-3784"
},
{
"name": "openSUSE-SU-2017:0501",
"refsource": "SUSE",
"url": "http://lists.opensuse.org/opensuse-updates/2017-02/msg00082.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2017-5938",
"datePublished": "2017-03-15T14:00:00",
"dateReserved": "2017-02-08T00:00:00",
"dateUpdated": "2024-08-05T15:18:49.281Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2012-4533 (GCVE-0-2012-4533)
Vulnerability from nvd – Published: 2012-11-19 00:00 – Updated: 2024-08-06 20:42
VLAI?
Summary
Cross-site scripting (XSS) vulnerability in the "extra" details in the DiffSource._get_row function in lib/viewvc.py in ViewVC 1.0.x before 1.0.13 and 1.1.x before 1.1.16 allows remote authenticated users with repository commit access to inject arbitrary web script or HTML via the "function name" line.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | |||||||||||||||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||||||||||||||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T20:42:53.692Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://viewvc.tigris.org/issues/show_bug.cgi?id=515"
},
{
"name": "86566",
"tags": [
"vdb-entry",
"x_refsource_OSVDB",
"x_transferred"
],
"url": "http://osvdb.org/86566"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://viewvc.tigris.org/source/browse/viewvc?view=rev\u0026revision=2794"
},
{
"name": "51041",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/51041"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://viewvc.tigris.org/source/browse/viewvc?view=rev\u0026revision=2792"
},
{
"name": "56161",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/56161"
},
{
"name": "viewvc-viewvc-checkins-xss(79561)",
"tags": [
"vdb-entry",
"x_refsource_XF",
"x_transferred"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/79561"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://viewvc.tigris.org/source/browse/%2Acheckout%2A/viewvc/tags/1.0.13/CHANGES"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=691062"
},
{
"name": "[oss-security] 20121020 Re: CVE Request: viewvc 1.1.5 lib/viewvc.py XSS",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2012/10/21/3"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-0313"
},
{
"name": "MDVSA-2013:134",
"tags": [
"vendor-advisory",
"x_refsource_MANDRIVA",
"x_transferred"
],
"url": "http://www.mandriva.com/security/advisories?name=MDVSA-2013:134"
},
{
"name": "DSA-2563",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN",
"x_transferred"
],
"url": "http://www.debian.org/security/2012/dsa-2563"
},
{
"name": "[oss-security] 20121020 CVE Request: viewvc 1.1.5 lib/viewvc.py XSS",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2012/10/21/2"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://viewvc.tigris.org/source/browse/%2Acheckout%2A/viewvc/tags/1.1.16/CHANGES"
},
{
"name": "51072",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/51072"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2012-10-20T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting (XSS) vulnerability in the \"extra\" details in the DiffSource._get_row function in lib/viewvc.py in ViewVC 1.0.x before 1.0.13 and 1.1.x before 1.1.16 allows remote authenticated users with repository commit access to inject arbitrary web script or HTML via the \"function name\" line."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-08-28T12:57:01",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://viewvc.tigris.org/issues/show_bug.cgi?id=515"
},
{
"name": "86566",
"tags": [
"vdb-entry",
"x_refsource_OSVDB"
],
"url": "http://osvdb.org/86566"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://viewvc.tigris.org/source/browse/viewvc?view=rev\u0026revision=2794"
},
{
"name": "51041",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/51041"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://viewvc.tigris.org/source/browse/viewvc?view=rev\u0026revision=2792"
},
{
"name": "56161",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/56161"
},
{
"name": "viewvc-viewvc-checkins-xss(79561)",
"tags": [
"vdb-entry",
"x_refsource_XF"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/79561"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://viewvc.tigris.org/source/browse/%2Acheckout%2A/viewvc/tags/1.0.13/CHANGES"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=691062"
},
{
"name": "[oss-security] 20121020 Re: CVE Request: viewvc 1.1.5 lib/viewvc.py XSS",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2012/10/21/3"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-0313"
},
{
"name": "MDVSA-2013:134",
"tags": [
"vendor-advisory",
"x_refsource_MANDRIVA"
],
"url": "http://www.mandriva.com/security/advisories?name=MDVSA-2013:134"
},
{
"name": "DSA-2563",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN"
],
"url": "http://www.debian.org/security/2012/dsa-2563"
},
{
"name": "[oss-security] 20121020 CVE Request: viewvc 1.1.5 lib/viewvc.py XSS",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2012/10/21/2"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://viewvc.tigris.org/source/browse/%2Acheckout%2A/viewvc/tags/1.1.16/CHANGES"
},
{
"name": "51072",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/51072"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2012-4533",
"datePublished": "2012-11-19T00:00:00",
"dateReserved": "2012-08-21T00:00:00",
"dateUpdated": "2024-08-06T20:42:53.692Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2012-3357 (GCVE-0-2012-3357)
Vulnerability from nvd – Published: 2012-07-22 16:00 – Updated: 2024-08-06 20:05
VLAI?
Summary
The SVN revision view (lib/vclib/svn/svn_repos.py) in ViewVC before 1.1.15 does not properly handle log messages when a readable path is copied from an unreadable path, which allows remote attackers to obtain sensitive information, related to a "log msg leak."
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | ||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T20:05:12.106Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "[oss-security] 20120625 Re: CVE Request: viewvc",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2012/06/25/8"
},
{
"name": "viewvc-svnra-info-disclosure(76615)",
"tags": [
"vdb-entry",
"x_refsource_XF",
"x_transferred"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/76615"
},
{
"name": "54199",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/54199"
},
{
"name": "openSUSE-SU-2012:0831",
"tags": [
"vendor-advisory",
"x_refsource_SUSE",
"x_transferred"
],
"url": "https://lwn.net/Articles/505096/"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-0175"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://viewvc.tigris.org/source/browse/viewvc?view=rev\u0026revision=2758"
},
{
"name": "83227",
"tags": [
"vdb-entry",
"x_refsource_OSVDB",
"x_transferred"
],
"url": "http://osvdb.org/83227"
},
{
"name": "MDVSA-2013:134",
"tags": [
"vendor-advisory",
"x_refsource_MANDRIVA",
"x_transferred"
],
"url": "http://www.mandriva.com/security/advisories?name=MDVSA-2013:134"
},
{
"name": "DSA-2563",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN",
"x_transferred"
],
"url": "http://www.debian.org/security/2012/dsa-2563"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2012-06-22T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "The SVN revision view (lib/vclib/svn/svn_repos.py) in ViewVC before 1.1.15 does not properly handle log messages when a readable path is copied from an unreadable path, which allows remote attackers to obtain sensitive information, related to a \"log msg leak.\""
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-08-28T12:57:01",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"name": "[oss-security] 20120625 Re: CVE Request: viewvc",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2012/06/25/8"
},
{
"name": "viewvc-svnra-info-disclosure(76615)",
"tags": [
"vdb-entry",
"x_refsource_XF"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/76615"
},
{
"name": "54199",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/54199"
},
{
"name": "openSUSE-SU-2012:0831",
"tags": [
"vendor-advisory",
"x_refsource_SUSE"
],
"url": "https://lwn.net/Articles/505096/"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-0175"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://viewvc.tigris.org/source/browse/viewvc?view=rev\u0026revision=2758"
},
{
"name": "83227",
"tags": [
"vdb-entry",
"x_refsource_OSVDB"
],
"url": "http://osvdb.org/83227"
},
{
"name": "MDVSA-2013:134",
"tags": [
"vendor-advisory",
"x_refsource_MANDRIVA"
],
"url": "http://www.mandriva.com/security/advisories?name=MDVSA-2013:134"
},
{
"name": "DSA-2563",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN"
],
"url": "http://www.debian.org/security/2012/dsa-2563"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2012-3357",
"datePublished": "2012-07-22T16:00:00",
"dateReserved": "2012-06-14T00:00:00",
"dateUpdated": "2024-08-06T20:05:12.106Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2012-3356 (GCVE-0-2012-3356)
Vulnerability from nvd – Published: 2012-07-22 16:00 – Updated: 2024-08-06 20:05
VLAI?
Summary
The remote SVN views functionality (lib/vclib/svn/svn_ra.py) in ViewVC before 1.1.15 does not properly perform authorization, which allows remote attackers to bypass intended access restrictions via unspecified vectors.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | ||||||||||||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||||||||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T20:05:11.626Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "[oss-security] 20120625 Re: CVE Request: viewvc",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2012/06/25/8"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://viewvc.tigris.org/source/browse/viewvc?view=rev\u0026revision=2760"
},
{
"name": "54197",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/54197"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://viewvc.tigris.org/source/browse/%2Acheckout%2A/viewvc/tags/1.1.15/CHANGES"
},
{
"name": "viewvc-svnra-security-bypass(76614)",
"tags": [
"vdb-entry",
"x_refsource_XF",
"x_transferred"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/76614"
},
{
"name": "83225",
"tags": [
"vdb-entry",
"x_refsource_OSVDB",
"x_transferred"
],
"url": "http://osvdb.org/83225"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://viewvc.tigris.org/source/browse/viewvc?view=rev\u0026revision=2755"
},
{
"name": "openSUSE-SU-2012:0831",
"tags": [
"vendor-advisory",
"x_refsource_SUSE",
"x_transferred"
],
"url": "https://lwn.net/Articles/505096/"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://viewvc.tigris.org/source/browse/viewvc?view=rev\u0026revision=2759"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://viewvc.tigris.org/source/browse/viewvc?view=rev\u0026revision=2757"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-0175"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://viewvc.tigris.org/source/browse/viewvc?view=rev\u0026revision=2756"
},
{
"name": "MDVSA-2013:134",
"tags": [
"vendor-advisory",
"x_refsource_MANDRIVA",
"x_transferred"
],
"url": "http://www.mandriva.com/security/advisories?name=MDVSA-2013:134"
},
{
"name": "DSA-2563",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN",
"x_transferred"
],
"url": "http://www.debian.org/security/2012/dsa-2563"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://viewvc.tigris.org/issues/show_bug.cgi?id=353"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2012-06-22T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "The remote SVN views functionality (lib/vclib/svn/svn_ra.py) in ViewVC before 1.1.15 does not properly perform authorization, which allows remote attackers to bypass intended access restrictions via unspecified vectors."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-08-28T12:57:01",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"name": "[oss-security] 20120625 Re: CVE Request: viewvc",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2012/06/25/8"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://viewvc.tigris.org/source/browse/viewvc?view=rev\u0026revision=2760"
},
{
"name": "54197",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/54197"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://viewvc.tigris.org/source/browse/%2Acheckout%2A/viewvc/tags/1.1.15/CHANGES"
},
{
"name": "viewvc-svnra-security-bypass(76614)",
"tags": [
"vdb-entry",
"x_refsource_XF"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/76614"
},
{
"name": "83225",
"tags": [
"vdb-entry",
"x_refsource_OSVDB"
],
"url": "http://osvdb.org/83225"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://viewvc.tigris.org/source/browse/viewvc?view=rev\u0026revision=2755"
},
{
"name": "openSUSE-SU-2012:0831",
"tags": [
"vendor-advisory",
"x_refsource_SUSE"
],
"url": "https://lwn.net/Articles/505096/"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://viewvc.tigris.org/source/browse/viewvc?view=rev\u0026revision=2759"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://viewvc.tigris.org/source/browse/viewvc?view=rev\u0026revision=2757"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-0175"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://viewvc.tigris.org/source/browse/viewvc?view=rev\u0026revision=2756"
},
{
"name": "MDVSA-2013:134",
"tags": [
"vendor-advisory",
"x_refsource_MANDRIVA"
],
"url": "http://www.mandriva.com/security/advisories?name=MDVSA-2013:134"
},
{
"name": "DSA-2563",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN"
],
"url": "http://www.debian.org/security/2012/dsa-2563"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://viewvc.tigris.org/issues/show_bug.cgi?id=353"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2012-3356",
"datePublished": "2012-07-22T16:00:00",
"dateReserved": "2012-06-14T00:00:00",
"dateUpdated": "2024-08-06T20:05:11.626Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2009-5024 (GCVE-0-2009-5024)
Vulnerability from nvd – Published: 2011-05-23 22:00 – Updated: 2024-08-07 07:24
VLAI?
Summary
ViewVC before 1.1.11 allows remote attackers to bypass the cvsdb row_limit configuration setting, and consequently conduct resource-consumption attacks, via the limit parameter, as demonstrated by a "query revision history" request.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-07T07:24:53.699Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "47928",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/47928"
},
{
"name": "[oss-security] 20110519 Re: CVE Request: viewvc DoS",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://openwall.com/lists/oss-security/2011/05/19/9"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://viewvc.tigris.org/issues/show_bug.cgi?id=433"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://viewvc.tigris.org/source/browse/viewvc/trunk/lib/viewvc.py?diff_format=u\u0026r1=2547\u0026r2=2546\u0026pathrev=2547"
},
{
"name": "[oss-security] 20110519 CVE Request: viewvc DoS",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://openwall.com/lists/oss-security/2011/05/19/1"
},
{
"name": "DSA-2563",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN",
"x_transferred"
],
"url": "http://www.debian.org/security/2012/dsa-2563"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://viewvc.tigris.org/source/browse/%2Acheckout%2A/viewvc/tags/1.1.11/CHANGES"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://viewvc.tigris.org/source/browse/viewvc/trunk/lib/cvsdb.py?diff_format=u\u0026view=log#rev2547"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2009-11-18T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "ViewVC before 1.1.11 allows remote attackers to bypass the cvsdb row_limit configuration setting, and consequently conduct resource-consumption attacks, via the limit parameter, as demonstrated by a \"query revision history\" request."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2012-11-20T10:00:00",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"name": "47928",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/47928"
},
{
"name": "[oss-security] 20110519 Re: CVE Request: viewvc DoS",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://openwall.com/lists/oss-security/2011/05/19/9"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://viewvc.tigris.org/issues/show_bug.cgi?id=433"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://viewvc.tigris.org/source/browse/viewvc/trunk/lib/viewvc.py?diff_format=u\u0026r1=2547\u0026r2=2546\u0026pathrev=2547"
},
{
"name": "[oss-security] 20110519 CVE Request: viewvc DoS",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://openwall.com/lists/oss-security/2011/05/19/1"
},
{
"name": "DSA-2563",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN"
],
"url": "http://www.debian.org/security/2012/dsa-2563"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://viewvc.tigris.org/source/browse/%2Acheckout%2A/viewvc/tags/1.1.11/CHANGES"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://viewvc.tigris.org/source/browse/viewvc/trunk/lib/cvsdb.py?diff_format=u\u0026view=log#rev2547"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "secalert@redhat.com",
"ID": "CVE-2009-5024",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "ViewVC before 1.1.11 allows remote attackers to bypass the cvsdb row_limit configuration setting, and consequently conduct resource-consumption attacks, via the limit parameter, as demonstrated by a \"query revision history\" request."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "47928",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/47928"
},
{
"name": "[oss-security] 20110519 Re: CVE Request: viewvc DoS",
"refsource": "MLIST",
"url": "http://openwall.com/lists/oss-security/2011/05/19/9"
},
{
"name": "http://viewvc.tigris.org/issues/show_bug.cgi?id=433",
"refsource": "CONFIRM",
"url": "http://viewvc.tigris.org/issues/show_bug.cgi?id=433"
},
{
"name": "http://viewvc.tigris.org/source/browse/viewvc/trunk/lib/viewvc.py?diff_format=u\u0026r1=2547\u0026r2=2546\u0026pathrev=2547",
"refsource": "CONFIRM",
"url": "http://viewvc.tigris.org/source/browse/viewvc/trunk/lib/viewvc.py?diff_format=u\u0026r1=2547\u0026r2=2546\u0026pathrev=2547"
},
{
"name": "[oss-security] 20110519 CVE Request: viewvc DoS",
"refsource": "MLIST",
"url": "http://openwall.com/lists/oss-security/2011/05/19/1"
},
{
"name": "DSA-2563",
"refsource": "DEBIAN",
"url": "http://www.debian.org/security/2012/dsa-2563"
},
{
"name": "http://viewvc.tigris.org/source/browse/*checkout*/viewvc/tags/1.1.11/CHANGES",
"refsource": "CONFIRM",
"url": "http://viewvc.tigris.org/source/browse/*checkout*/viewvc/tags/1.1.11/CHANGES"
},
{
"name": "http://viewvc.tigris.org/source/browse/viewvc/trunk/lib/cvsdb.py?diff_format=u\u0026view=log#rev2547",
"refsource": "CONFIRM",
"url": "http://viewvc.tigris.org/source/browse/viewvc/trunk/lib/cvsdb.py?diff_format=u\u0026view=log#rev2547"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2009-5024",
"datePublished": "2011-05-23T22:00:00",
"dateReserved": "2010-12-09T00:00:00",
"dateUpdated": "2024-08-07T07:24:53.699Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}