CVE-2018-1000998

MEDIUM

FreeBSD CVSweb 2.0.4-2.0.6 - Cross-Site Scripting via Crafted URL

Title source: llm
STIX 2.1

Description

FreeBSD CVSweb version 2.x contains a Cross Site Scripting (XSS) vulnerability in all pages that can result in limited impact--CVSweb is anonymous & read-only. It might impact other sites on same domain. This attack appears to be exploitable via victim must load specially crafted url. This vulnerability appears to have been fixed in 3.x.

References (1)

Core 1
Core References
Exploit, Third Party Advisory x_refsource_misc
https://www.kvakil.me/posts/cvsweb/

Scores

CVSS v3 6.1
EPSS 0.0026
EPSS Percentile 49.6%
Attack Vector NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Details

CWE
CWE-79
Status published
Products (1)
freebsd/cvsweb 2.0.4 - 2.0.6
Published Feb 04, 2019
Tracked Since Feb 18, 2026