C. Michael Pilato - Security Researcher - Exploit Intelligence Platform

CVE-2017-5938 WRITEUP MEDIUM WRITEUP

Debian Linux < 1.1.25 - XSS

Cross-site scripting (XSS) vulnerability in the nav_path function in lib/viewvc.py in ViewVC before 1.0.14 and 1.1.x before 1.1.26 allows remote attackers to inject arbitrary web script or HTML via the nav_data name.

CVSS 6.1

View Code

CVE-2020-5283 WRITEUP LOW WRITEUP

Viewvc < 1.1.28 - Basic XSS

ViewVC before versions 1.1.28 and 1.2.1 has a XSS vulnerability in CVS show_subdir_lastmod support. The impact of this vulnerability is mitigated by the need for an attacker to have commit privileges to a CVS repository exposed by an otherwise trusted ViewVC instance that also has the `show_subdir_lastmod` feature enabled. The attack vector involves files with unsafe names (names that, when embedded into an HTML stream, would cause the browser to run unwanted code), which themselves can be challenging to create. This vulnerability is patched in versions 1.2.1 and 1.1.28.

CVSS 3.1

View Code

CVE-2025-54141 WRITEUP HIGH WRITEUP

Viewvc < 1.1.31 - Path Traversal

ViewVC is a browser interface for CVS and Subversion version control repositories. In versions 1.1.0 through 1.1.31 and 1.2.0 through 1.2.3, the standalone.py script provided in the ViewVC distribution can expose the contents of the host server's filesystem though a directory traversal-style attack. This is fixed in versions 1.1.31 and 1.2.4.

CVSS 7.5

View Code