Description
ViewVC before versions 1.1.28 and 1.2.1 has a XSS vulnerability in CVS show_subdir_lastmod support. The impact of this vulnerability is mitigated by the need for an attacker to have commit privileges to a CVS repository exposed by an otherwise trusted ViewVC instance that also has the `show_subdir_lastmod` feature enabled. The attack vector involves files with unsafe names (names that, when embedded into an HTML stream, would cause the browser to run unwanted code), which themselves can be challenging to create. This vulnerability is patched in versions 1.2.1 and 1.1.28.
References (4)
Core 4
Core References
Mitigation, Patch, Third Party Advisory x_refsource_confirm
https://github.com/viewvc/viewvc/security/advisories/GHSA-xpxf-fvqv-7mfg
Exploit, Issue Tracking, Third Party Advisory x_refsource_misc
https://github.com/viewvc/viewvc/issues/211
Patch, Third Party Advisory x_refsource_misc
https://github.com/viewvc/viewvc/commit/ad0f966e9a997b17d853a6972ea283d4dcd70fa8
Mailing List, Third Party Advisory vendor-advisory
x_refsource_fedora
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2Q2STF2MKT24HXZ3YZIU7CN6F6QM67I5/
Scores
CVSS v3
3.1
EPSS
0.0018
EPSS Percentile
39.0%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:N
Details
CWE
CWE-80
CWE-79
Status
published
Products (1)
viewvc/viewvc
< 1.1.28
Published
Apr 03, 2020
Tracked Since
Feb 18, 2026