Cross-site scripting (XSS) vulnerability in the view_queryform function in lib/viewvc.py in ViewVC before 1.0.10, and 1.1.x before 1.1.4, allows remote attackers to inject arbitrary web script or HTML via "user-provided input."
CVSS Score
4.3
EPSS Score
0.003
Published
2010-03-19
query.py in the query interface in ViewVC before 1.1.3 does not reject configurations that specify an unsupported authorizer for a root, which might allow remote attackers to bypass intended access restrictions via a query.
CVSS Score
7.5
EPSS Score
0.005
Published
2010-01-29
ViewVC before 1.1.3 composes the root listing view without using the authorizer for each root, which might allow remote attackers to discover private root names by reading this view.
CVSS Score
5.0
EPSS Score
0.008
Published
2010-01-29
Page 2