C. Michael Pilato

4 exploits Active since Mar 2017
CVE-2025-54141 WRITEUP HIGH WRITEUP
ViewVC 1.1.0-1.1.31 and 1.2.0-1.2.3 - Path Traversal via Standalone Script
ViewVC is a browser interface for CVS and Subversion version control repositories. In versions 1.1.0 through 1.1.31 and 1.2.0 through 1.2.3, the standalone.py script provided in the ViewVC distribution can expose the contents of the host server's filesystem though a directory traversal-style attack. This is fixed in versions 1.1.31 and 1.2.4.
CVSS 7.5
CVE-2017-5938 WRITEUP MEDIUM WRITEUP
Debian Linux < 1.1.25 - XSS
Cross-site scripting (XSS) vulnerability in the nav_path function in lib/viewvc.py in ViewVC before 1.0.14 and 1.1.x before 1.1.26 allows remote attackers to inject arbitrary web script or HTML via the nav_data name.
CVSS 6.1
CVE-2020-5283 WRITEUP LOW WRITEUP
ViewVC < 1.1.28 - Cross-Site Scripting in CVS show_subdir_lastmod
ViewVC before versions 1.1.28 and 1.2.1 has a XSS vulnerability in CVS show_subdir_lastmod support. The impact of this vulnerability is mitigated by the need for an attacker to have commit privileges to a CVS repository exposed by an otherwise trusted ViewVC instance that also has the `show_subdir_lastmod` feature enabled. The attack vector involves files with unsafe names (names that, when embedded into an HTML stream, would cause the browser to run unwanted code), which themselves can be challenging to create. This vulnerability is patched in versions 1.2.1 and 1.1.28.
CVSS 3.1
CVE-2025-54141 WRITEUP HIGH WRITEUP
ViewVC 1.1.0-1.1.31 and 1.2.0-1.2.3 - Path Traversal via Standalone Script
ViewVC is a browser interface for CVS and Subversion version control repositories. In versions 1.1.0 through 1.1.31 and 1.2.0 through 1.2.3, the standalone.py script provided in the ViewVC distribution can expose the contents of the host server's filesystem though a directory traversal-style attack. This is fixed in versions 1.1.31 and 1.2.4.
CVSS 7.5