Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2020-5283

ViewVC before versions 1.1.28 and 1.2.1 has a XSS vulnerability in CVS show_subdir_lastmod support. The impact of this vulnerability is mitigated by the need for an attacker to have commit privileges to a CVS repository exposed by an otherwise trusted ViewVC instance that also has the `show_subdir_lastmod` feature enabled. The attack vector involves files with unsafe names (names that, when embedded into an HTML stream, would cause the browser to run unwanted code), which themselves can be challenging to create. This vulnerability is patched in versions 1.2.1 and 1.1.28.

Published

2020-04-03T00:15:11.943

Last Modified

2024-11-21T05:33:49.887

Status

Modified

Source

[email protected]

Severity

CVSSv3.1: 3.1 (LOW)

CVSSv2 Vector

AV:N/AC:H/Au:S/C:N/I:P/A:N

  • Access Vector: NETWORK
  • Access Complexity: HIGH
  • Authentication: SINGLE
  • Confidentiality Impact: NONE
  • Integrity Impact: PARTIAL
  • Availability Impact: NONE
Exploitability Score

3.9

Impact Score

2.9

Weaknesses
  • Type: Secondary
    CWE-80
  • Type: Primary
    CWE-79
Affected Vendors & Products
Type Vendor Product Version/Range Vulnerable?
Application viewvc viewvc < 1.1.28 Yes
Application viewvc viewvc < 1.2.1 Yes
References