MidnightBSD

Advisories for viewvc

CVE-2009-3618 MEDIUM

Cross-site scripting (XSS) vulnerability in viewvc.py in ViewVC 1.0 before 1.0.9 and 1.1 before 1.1.2 allows remote attackers to inject arbitrary web script or HTML via the view parameter. NOTE: some of these details are obtained from third party information.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
viewvc viewvc 1.0.2
viewvc viewvc 1.1.0
viewvc viewvc 1.0.8
viewvc viewvc 1.1.1
viewvc viewvc 1.0.7
viewvc viewvc 1.0.5
viewvc viewvc 1.0.4
viewvc viewvc 1.0.6
viewvc viewvc 1.0.3
viewvc viewvc 1.0.1
CVE-2009-3619 MEDIUM

Unspecified vulnerability in ViewVC 1.0 before 1.0.9 and 1.1 before 1.1.2 has unknown impact and remote attack vectors related to "printing illegal parameter names and values."

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
viewvc viewvc 1.0.2
viewvc viewvc 1.1.0
viewvc viewvc 1.0.8
viewvc viewvc 1.1.1
viewvc viewvc 1.0.7
viewvc viewvc 1.0.5
viewvc viewvc 1.0.4
viewvc viewvc 1.0.6
viewvc viewvc 1.0.3
viewvc viewvc 1.0.1
CVE-2009-5024 MEDIUM

ViewVC before 1.1.11 allows remote attackers to bypass the cvsdb row_limit configuration setting, and consequently conduct resource-consumption attacks, via the limit parameter, as demonstrated by a "query revision history" request.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-399,

Products Affected

Vendor Product Version
viewvc viewvc 0.9.3
viewvc viewvc 0.9.2
viewvc viewvc 1.0.8
viewvc viewvc 1.1.1
viewvc viewvc 1.0.4
viewvc viewvc 1.1.2
viewvc viewvc 1.0.3
viewvc viewvc 1.1.4
viewvc viewvc 1.0.0
viewvc viewvc 1.0.10
viewvc viewvc 1.0.2
viewvc viewvc 1.1.0
viewvc viewvc 1.1.5
viewvc viewvc 0.9.1
viewvc viewvc 1.1.3
viewvc viewvc 1.1.7
viewvc viewvc 0.9.4
viewvc viewvc 0.8
viewvc viewvc 1.1.8
viewvc viewvc *
viewvc viewvc 1.0.7
viewvc viewvc 1.0.5
viewvc viewvc 1.0.9
viewvc viewvc 1.1.6
viewvc viewvc 1.1.9
viewvc viewvc 0.9
viewvc viewvc 1.0.6
viewvc viewvc 1.0.1
viewvc viewvc 1.0.11
CVE-2010-0004 MEDIUM

ViewVC before 1.1.3 composes the root listing view without using the authorizer for each root, which might allow remote attackers to discover private root names by reading this view.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-200,

Products Affected

Vendor Product Version
viewvc viewvc 1.0.2
viewvc viewvc 1.1.0
viewvc viewvc 1.0.8
viewvc viewvc 1.1.1
viewvc viewvc 1.0.7
viewvc viewvc 1.0.5
viewvc viewvc 1.0.4
viewvc viewvc 1.1.2
viewvc viewvc 1.0.6
viewvc viewvc 1.0.3
viewvc viewvc 1.0.1
CVE-2010-0005 HIGH

query.py in the query interface in ViewVC before 1.1.3 does not reject configurations that specify an unsupported authorizer for a root, which might allow remote attackers to bypass intended access restrictions via a query.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-264,

Products Affected

Vendor Product Version
viewvc viewvc *
viewvc viewvc 1.0.2
viewvc viewvc 1.1.0
viewvc viewvc 1.0.8
viewvc viewvc 1.1.1
viewvc viewvc 1.0.7
viewvc viewvc 1.0.5
viewvc viewvc 1.0.4
viewvc viewvc 1.0.6
viewvc viewvc 1.0.3
viewvc viewvc 1.0.1
CVE-2010-0132 LOW

Cross-site scripting (XSS) vulnerability in ViewVC 1.1 before 1.1.5 and 1.0 before 1.0.11, when the regular expression search functionality is enabled, allows remote attackers to inject arbitrary web script or HTML via vectors related to "search_re input," a different vulnerability than CVE-2010-0736.

CVSS 2.0

Severity: LOW

Problem Type: CWE-79,

Products Affected

Vendor Product Version
viewvc viewvc 1.0.10
viewvc viewvc 1.0.2
viewvc viewvc 1.1.0
viewvc viewvc 1.1.3
viewvc viewvc 1.0.8
viewvc viewvc 1.1.1
viewvc viewvc 1.0.7
viewvc viewvc 1.0.5
viewvc viewvc 1.0.9
viewvc viewvc 1.0.4
viewvc viewvc 1.1.2
viewvc viewvc 1.0.6
viewvc viewvc 1.0.3
viewvc viewvc 1.1.4
viewvc viewvc 1.0.0
viewvc viewvc 1.0.1
CVE-2010-0736 MEDIUM

Cross-site scripting (XSS) vulnerability in the view_queryform function in lib/viewvc.py in ViewVC before 1.0.10, and 1.1.x before 1.1.4, allows remote attackers to inject arbitrary web script or HTML via "user-provided input."

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
viewvc viewvc 1.0.2
viewvc viewvc 1.1.0
viewvc viewvc 1.1.3
viewvc viewvc *
viewvc viewvc 1.0.8
viewvc viewvc 1.1.1
viewvc viewvc 1.0.7
viewvc viewvc 1.0.5
viewvc viewvc 1.0.4
viewvc viewvc 1.1.2
viewvc viewvc 1.0.6
viewvc viewvc 1.0.3
viewvc viewvc 1.0.1
CVE-2012-3356 MEDIUM

The remote SVN views functionality (lib/vclib/svn/svn_ra.py) in ViewVC before 1.1.15 does not properly perform authorization, which allows remote attackers to bypass intended access restrictions via unspecified vectors.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-287,

Products Affected

Vendor Product Version
viewvc viewvc 0.9.3
viewvc viewvc 1.1.12
viewvc viewvc 1.1.10
viewvc viewvc 0.9.2
viewvc viewvc 1.0.8
viewvc viewvc 1.1.1
viewvc viewvc 1.0.4
viewvc viewvc 1.1.2
viewvc viewvc 1.0.3
viewvc viewvc 1.1.4
viewvc viewvc 1.0.0
viewvc viewvc 1.0.10
viewvc viewvc 1.0.2
viewvc viewvc 1.1.0
viewvc viewvc 1.1.5
viewvc viewvc 0.9.1
viewvc viewvc 1.1.3
viewvc viewvc 1.1.7
viewvc viewvc 0.9.4
viewvc viewvc 1.1.11
viewvc viewvc 0.8
viewvc viewvc 1.1.8
viewvc viewvc *
viewvc viewvc 1.0.7
viewvc viewvc 1.0.5
viewvc viewvc 1.0.9
viewvc viewvc 1.1.6
viewvc viewvc 1.1.9
viewvc viewvc 0.9
viewvc viewvc 1.0.6
viewvc viewvc 1.1.13
viewvc viewvc 1.0.1
viewvc viewvc 1.0.11
CVE-2012-4533 MEDIUM

Cross-site scripting (XSS) vulnerability in the "extra" details in the DiffSource._get_row function in lib/viewvc.py in ViewVC 1.0.x before 1.0.13 and 1.1.x before 1.1.16 allows remote authenticated users with repository commit access to inject arbitrary web script or HTML via the "function name" line.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
debian debian_linux 7.0
viewvc viewvc *
debian debian_linux 6.0
CVE-2017-5938 MEDIUM

Cross-site scripting (XSS) vulnerability in the nav_path function in lib/viewvc.py in ViewVC before 1.0.14 and 1.1.x before 1.1.26 allows remote attackers to inject arbitrary web script or HTML via the nav_data name.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
viewvc viewvc *
opensuse leap 42.2
opensuse_project leap 42.1
debian debian_linux 8.0
CVE-2020-5283 LOW

ViewVC before versions 1.1.28 and 1.2.1 has a XSS vulnerability in CVS show_subdir_lastmod support. The impact of this vulnerability is mitigated by the need for an attacker to have commit privileges to a CVS repository exposed by an otherwise trusted ViewVC instance that also has the `show_subdir_lastmod` feature enabled. The attack vector involves files with unsafe names (names that, when embedded into an HTML stream, would cause the browser to run unwanted code), which themselves can be challenging to create. This vulnerability is patched in versions 1.2.1 and 1.1.28.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security-advisories@github.com 3.1 LOW CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:N 0.5 2.5
nvd@nist.gov 3.5 LOW CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:N 0.9 2.5

CVSS 2.0

Severity: LOW

Problem Type: CWE-80,CWE-79,

Products Affected

Vendor Product Version
viewvc viewvc *
CVE-2023-22456

ViewVC, a browser interface for CVS and Subversion version control repositories, as a cross-site scripting vulnerability that affects versions prior to 1.2.2 and 1.1.29. The impact of this vulnerability is mitigated by the need for an attacker to have commit privileges to a Subversion repository exposed by an otherwise trusted ViewVC instance. The attack vector involves files with unsafe names (names that, when embedded into an HTML stream, would cause the browser to run unwanted code), which themselves can be challenging to create. Users should update to at least version 1.2.2 (if they are using a 1.2.x version of ViewVC) or 1.1.29 (if they are using a 1.1.x version). ViewVC 1.0.x is no longer supported, so users of that release lineage should implement a workaround. Users can edit their ViewVC EZT view templates to manually HTML-escape changed paths during rendering. Locate in your template set's `revision.ezt` file references to those changed paths, and wrap them with `[format "html"]` and `[end]`. For most users, that means that references to `[changes.path]` will become `[format "html"][changes.path][end]`. (This workaround should be reverted after upgrading to a patched version of ViewVC, else changed path names will be doubly escaped.)

Products Affected

Vendor Product Version
viewvc viewvc *
CVE-2023-22464

ViewVC is a browser interface for CVS and Subversion version control repositories. Versions prior to 1.2.3 and 1.1.30 are vulnerable to cross-site scripting. The impact of this vulnerability is mitigated by the need for an attacker to have commit privileges to a Subversion repository exposed by an otherwise trusted ViewVC instance. The attack vector involves files with unsafe names (names that, when embedded into an HTML stream, would cause the browser to run unwanted code), which themselves can be challenging to create. Users should update to at least version 1.2.3 (if they are using a 1.2.x version of ViewVC) or 1.1.30 (if they are using a 1.1.x version). ViewVC 1.0.x is no longer supported, so users of that release lineage should implement one of the following workarounds. Users can edit their ViewVC EZT view templates to manually HTML-escape changed path "copyfrom paths" during rendering. Locate in your template set's `revision.ezt` file references to those changed paths, and wrap them with `[format "html"]` and `[end]`. For most users, that means that references to `[changes.copy_path]` will become `[format "html"][changes.copy_path][end]`. (This workaround should be reverted after upgrading to a patched version of ViewVC, else "copyfrom path" names will be doubly escaped.)

Products Affected

Vendor Product Version
viewvc viewvc *
CVE-2025-54141

ViewVC is a browser interface for CVS and Subversion version control repositories. In versions 1.1.0 through 1.1.31 and 1.2.0 through 1.2.3, the standalone.py script provided in the ViewVC distribution can expose the contents of the host server's filesystem though a directory traversal-style attack. This is fixed in versions 1.1.31 and 1.2.4.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security-advisories@github.com 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N 3.9 3.6

Products Affected

Vendor Product Version
viewvc viewvc *