query.py in the query interface in ViewVC before 1.1.3 does not reject configurations that specify an unsupported authorizer for a root, which might allow remote attackers to bypass intended access restrictions via a query.
CVSS Score
7.5
EPSS Score
0.005
Published
2010-01-29
ViewVC before 1.1.3 composes the root listing view without using the authorizer for each root, which might allow remote attackers to discover private root names by reading this view.
CVSS Score
5.0
EPSS Score
0.008
Published
2010-01-29
Cross-site scripting (XSS) vulnerability in viewvc.py in ViewVC 1.0 before 1.0.9 and 1.1 before 1.1.2 allows remote attackers to inject arbitrary web script or HTML via the view parameter. NOTE: some of these details are obtained from third party information.
CVSS Score
4.3
EPSS Score
0.007
Published
2009-11-10
Unspecified vulnerability in ViewVC 1.0 before 1.0.9 and 1.1 before 1.1.2 has unknown impact and remote attack vectors related to "printing illegal parameter names and values."
CVSS Score
5.0
EPSS Score
0.005
Published
2009-11-10
lib/viewvc.py in ViewVC 1.0.5 uses the content-type parameter in the HTTP request for the Content-Type header in the HTTP response, which allows remote attackers to cause content to be misinterpreted by the browser via a content-type parameter that is inconsistent with the requested object. NOTE: this issue might not be a vulnerability, since it requires attacker access to the repository that is being viewed.
CVSS Score
5.8
EPSS Score
0.009
Published
2008-09-30
Page 2