Vendor CVEs
Viewvc
All CVEs
26 total · sorted by risk| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2017-5938 | Med | 0.40 | 6.1 | 0.01 | Mar 15, 2017 | Cross-site scripting (XSS) vulnerability in the nav_path function in lib/viewvc.py in ViewVC before 1.0.14 and 1.1.x before 1.1.26 allows remote attackers to inject arbitrary web script or HTML via the nav_data name. | ||
| CVE-2002-0771 | 0.04 | — | 0.07 | Aug 12, 2002 | Cross-site scripting vulnerability in viewcvs.cgi for ViewCVS 0.9.2 allows remote attackers to inject script and steal cookies via the (1) cvsroot or (2) sortby parameters. | |||
| CVE-2025-54141 | 0.00 | — | 0.01 | Jul 22, 2025 | ViewVC is a browser interface for CVS and Subversion version control repositories. In versions 1.1.0 through 1.1.31 and 1.2.0 through 1.2.3, the standalone.py script provided in the ViewVC distribution can expose the contents of the host server's filesystem though a directory… | |||
| CVE-2023-22464 | 0.00 | — | 0.01 | Jan 4, 2023 | ViewVC is a browser interface for CVS and Subversion version control repositories. Versions prior to 1.2.3 and 1.1.30 are vulnerable to cross-site scripting. The impact of this vulnerability is mitigated by the need for an attacker to have commit privileges to a Subversion… | |||
| CVE-2023-22456 | 0.00 | — | 0.01 | Jan 3, 2023 | ViewVC, a browser interface for CVS and Subversion version control repositories, as a cross-site scripting vulnerability that affects versions prior to 1.2.2 and 1.1.29. The impact of this vulnerability is mitigated by the need for an attacker to have commit privileges to a… | |||
| CVE-2020-5283 | 0.00 | — | 0.01 | Apr 3, 2020 | ViewVC before versions 1.1.28 and 1.2.1 has a XSS vulnerability in CVS show_subdir_lastmod support. The impact of this vulnerability is mitigated by the need for an attacker to have commit privileges to a CVS repository exposed by an otherwise trusted ViewVC instance that also… | |||
| CVE-2007-5743 | 0.00 | — | 0.01 | Nov 7, 2019 | viewvc 1.0.3 allows improper access control to files in a repository when using the "forbidden" configuration option. | |||
| CVE-2012-4533 | 0.00 | — | 0.03 | Nov 19, 2012 | Cross-site scripting (XSS) vulnerability in the "extra" details in the DiffSource._get_row function in lib/viewvc.py in ViewVC 1.0.x before 1.0.13 and 1.1.x before 1.1.16 allows remote authenticated users with repository commit access to inject arbitrary web script or HTML via… | |||
| CVE-2012-3357 | 0.00 | — | 0.02 | Jul 22, 2012 | The SVN revision view (lib/vclib/svn/svn_repos.py) in ViewVC before 1.1.15 does not properly handle log messages when a readable path is copied from an unreadable path, which allows remote attackers to obtain sensitive information, related to a "log msg leak." | |||
| CVE-2012-3356 | 0.00 | — | 0.02 | Jul 22, 2012 | The remote SVN views functionality (lib/vclib/svn/svn_ra.py) in ViewVC before 1.1.15 does not properly perform authorization, which allows remote attackers to bypass intended access restrictions via unspecified vectors. | |||
| CVE-2009-5024 | 0.00 | — | 0.03 | May 23, 2011 | ViewVC before 1.1.11 allows remote attackers to bypass the cvsdb row_limit configuration setting, and consequently conduct resource-consumption attacks, via the limit parameter, as demonstrated by a "query revision history" request. | |||
| CVE-2010-0132 | 0.00 | — | 0.02 | Mar 31, 2010 | Cross-site scripting (XSS) vulnerability in ViewVC 1.1 before 1.1.5 and 1.0 before 1.0.11, when the regular expression search functionality is enabled, allows remote attackers to inject arbitrary web script or HTML via vectors related to "search_re input," a different… | |||
| CVE-2010-0736 | 0.00 | — | 0.02 | Mar 19, 2010 | Cross-site scripting (XSS) vulnerability in the view_queryform function in lib/viewvc.py in ViewVC before 1.0.10, and 1.1.x before 1.1.4, allows remote attackers to inject arbitrary web script or HTML via "user-provided input." | |||
| CVE-2010-0005 | 0.00 | — | 0.02 | Jan 29, 2010 | query.py in the query interface in ViewVC before 1.1.3 does not reject configurations that specify an unsupported authorizer for a root, which might allow remote attackers to bypass intended access restrictions via a query. | |||
| CVE-2010-0004 | 0.00 | — | 0.03 | Jan 29, 2010 | ViewVC before 1.1.3 composes the root listing view without using the authorizer for each root, which might allow remote attackers to discover private root names by reading this view. | |||
| CVE-2009-3619 | 0.00 | — | 0.02 | Nov 10, 2009 | Unspecified vulnerability in ViewVC 1.0 before 1.0.9 and 1.1 before 1.1.2 has unknown impact and remote attack vectors related to "printing illegal parameter names and values." | |||
| CVE-2009-3618 | 0.00 | — | 0.02 | Nov 10, 2009 | Cross-site scripting (XSS) vulnerability in viewvc.py in ViewVC 1.0 before 1.0.9 and 1.1 before 1.1.2 allows remote attackers to inject arbitrary web script or HTML via the view parameter. NOTE: some of these details are obtained from third party information. | |||
| CVE-2008-4325 | 0.00 | — | 0.01 | Sep 30, 2008 | lib/viewvc.py in ViewVC 1.0.5 uses the content-type parameter in the HTTP request for the Content-Type header in the HTTP response, which allows remote attackers to cause content to be misinterpreted by the browser via a content-type parameter that is inconsistent with the… | |||
| CVE-2008-1290 | 0.00 | — | 0.01 | Mar 24, 2008 | ViewVC before 1.0.5 includes "all-forbidden" files within search results that list CVS or Subversion (SVN) commits, which allows remote attackers to obtain sensitive information. | |||
| CVE-2008-1291 | 0.00 | — | 0.01 | Mar 24, 2008 | ViewVC before 1.0.5 stores sensitive information under the web root with insufficient access control, which allows remote attackers to read files and list folders under the hidden CVSROOT folder. | |||
| CVE-2008-1292 | 0.00 | — | 0.01 | Mar 24, 2008 | ViewVC before 1.0.5 provides revision metadata without properly checking whether access was intended, which allows remote attackers to obtain sensitive information by reading (1) forbidden pathnames in the revision view, (2) log history that can only be reached by traversing a… | |||
| CVE-2006-5442 | 0.00 | — | 0.02 | Oct 21, 2006 | ViewVC 1.0.2 and earlier does not specify a charset in its HTTP headers or HTML documents, which allows remote attackers to conduct cross-site scripting (XSS) attacks that inject arbitrary UTF-7 encoded JavaScript code via a view. | |||
| CVE-2005-4831 | 0.00 | — | 0.01 | Dec 31, 2005 | viewcvs in ViewCVS 0.9.2 allows remote attackers to set the Content-Type header to arbitrary values via the content-type parameter, which can be leveraged for cross-site scripting (XSS) and other attacks, as demonstrated using (1) "text/html", or (2) "image/jpeg" with an image… | |||
| CVE-2005-4830 | 0.00 | — | 0.02 | Dec 31, 2005 | CRLF injection vulnerability in viewcvs in ViewCVS 0.9.2 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via CRLF sequences in the content-type parameter. | |||
| CVE-2004-0915 | 0.00 | — | 0.01 | Jan 10, 2005 | Multiple unknown vulnerabilities in viewcvs before 0.9.2, when exporting a repository as a tar archive, does not properly implement the hide_cvsroot and forbidden settings, which could allow remote attackers to gain sensitive information. | |||
| CVE-2004-1062 | 0.00 | — | 0.01 | Dec 28, 2004 | Multiple cross-site scripting (XSS) vulnerabilities in ViewCVS 0.9.2 allow remote attackers to inject arbitrary HTML and web script via certain error messages. |
- risk 0.40cvss 6.1epss 0.01
Cross-site scripting (XSS) vulnerability in the nav_path function in lib/viewvc.py in ViewVC before 1.0.14 and 1.1.x before 1.1.26 allows remote attackers to inject arbitrary web script or HTML via the nav_data name.
- CVE-2002-0771Aug 12, 2002risk 0.04cvss —epss 0.07
Cross-site scripting vulnerability in viewcvs.cgi for ViewCVS 0.9.2 allows remote attackers to inject script and steal cookies via the (1) cvsroot or (2) sortby parameters.
- CVE-2025-54141Jul 22, 2025risk 0.00cvss —epss 0.01
ViewVC is a browser interface for CVS and Subversion version control repositories. In versions 1.1.0 through 1.1.31 and 1.2.0 through 1.2.3, the standalone.py script provided in the ViewVC distribution can expose the contents of the host server's filesystem though a directory…
- CVE-2023-22464Jan 4, 2023risk 0.00cvss —epss 0.01
ViewVC is a browser interface for CVS and Subversion version control repositories. Versions prior to 1.2.3 and 1.1.30 are vulnerable to cross-site scripting. The impact of this vulnerability is mitigated by the need for an attacker to have commit privileges to a Subversion…
- CVE-2023-22456Jan 3, 2023risk 0.00cvss —epss 0.01
ViewVC, a browser interface for CVS and Subversion version control repositories, as a cross-site scripting vulnerability that affects versions prior to 1.2.2 and 1.1.29. The impact of this vulnerability is mitigated by the need for an attacker to have commit privileges to a…
- CVE-2020-5283Apr 3, 2020risk 0.00cvss —epss 0.01
ViewVC before versions 1.1.28 and 1.2.1 has a XSS vulnerability in CVS show_subdir_lastmod support. The impact of this vulnerability is mitigated by the need for an attacker to have commit privileges to a CVS repository exposed by an otherwise trusted ViewVC instance that also…
- CVE-2007-5743Nov 7, 2019risk 0.00cvss —epss 0.01
viewvc 1.0.3 allows improper access control to files in a repository when using the "forbidden" configuration option.
- CVE-2012-4533Nov 19, 2012risk 0.00cvss —epss 0.03
Cross-site scripting (XSS) vulnerability in the "extra" details in the DiffSource._get_row function in lib/viewvc.py in ViewVC 1.0.x before 1.0.13 and 1.1.x before 1.1.16 allows remote authenticated users with repository commit access to inject arbitrary web script or HTML via…
- CVE-2012-3357Jul 22, 2012risk 0.00cvss —epss 0.02
The SVN revision view (lib/vclib/svn/svn_repos.py) in ViewVC before 1.1.15 does not properly handle log messages when a readable path is copied from an unreadable path, which allows remote attackers to obtain sensitive information, related to a "log msg leak."
- CVE-2012-3356Jul 22, 2012risk 0.00cvss —epss 0.02
The remote SVN views functionality (lib/vclib/svn/svn_ra.py) in ViewVC before 1.1.15 does not properly perform authorization, which allows remote attackers to bypass intended access restrictions via unspecified vectors.
- CVE-2009-5024May 23, 2011risk 0.00cvss —epss 0.03
ViewVC before 1.1.11 allows remote attackers to bypass the cvsdb row_limit configuration setting, and consequently conduct resource-consumption attacks, via the limit parameter, as demonstrated by a "query revision history" request.
- CVE-2010-0132Mar 31, 2010risk 0.00cvss —epss 0.02
Cross-site scripting (XSS) vulnerability in ViewVC 1.1 before 1.1.5 and 1.0 before 1.0.11, when the regular expression search functionality is enabled, allows remote attackers to inject arbitrary web script or HTML via vectors related to "search_re input," a different…
- CVE-2010-0736Mar 19, 2010risk 0.00cvss —epss 0.02
Cross-site scripting (XSS) vulnerability in the view_queryform function in lib/viewvc.py in ViewVC before 1.0.10, and 1.1.x before 1.1.4, allows remote attackers to inject arbitrary web script or HTML via "user-provided input."
- CVE-2010-0005Jan 29, 2010risk 0.00cvss —epss 0.02
query.py in the query interface in ViewVC before 1.1.3 does not reject configurations that specify an unsupported authorizer for a root, which might allow remote attackers to bypass intended access restrictions via a query.
- CVE-2010-0004Jan 29, 2010risk 0.00cvss —epss 0.03
ViewVC before 1.1.3 composes the root listing view without using the authorizer for each root, which might allow remote attackers to discover private root names by reading this view.
- CVE-2009-3619Nov 10, 2009risk 0.00cvss —epss 0.02
Unspecified vulnerability in ViewVC 1.0 before 1.0.9 and 1.1 before 1.1.2 has unknown impact and remote attack vectors related to "printing illegal parameter names and values."
- CVE-2009-3618Nov 10, 2009risk 0.00cvss —epss 0.02
Cross-site scripting (XSS) vulnerability in viewvc.py in ViewVC 1.0 before 1.0.9 and 1.1 before 1.1.2 allows remote attackers to inject arbitrary web script or HTML via the view parameter. NOTE: some of these details are obtained from third party information.
- CVE-2008-4325Sep 30, 2008risk 0.00cvss —epss 0.01
lib/viewvc.py in ViewVC 1.0.5 uses the content-type parameter in the HTTP request for the Content-Type header in the HTTP response, which allows remote attackers to cause content to be misinterpreted by the browser via a content-type parameter that is inconsistent with the…
- CVE-2008-1290Mar 24, 2008risk 0.00cvss —epss 0.01
ViewVC before 1.0.5 includes "all-forbidden" files within search results that list CVS or Subversion (SVN) commits, which allows remote attackers to obtain sensitive information.
- CVE-2008-1291Mar 24, 2008risk 0.00cvss —epss 0.01
ViewVC before 1.0.5 stores sensitive information under the web root with insufficient access control, which allows remote attackers to read files and list folders under the hidden CVSROOT folder.
- CVE-2008-1292Mar 24, 2008risk 0.00cvss —epss 0.01
ViewVC before 1.0.5 provides revision metadata without properly checking whether access was intended, which allows remote attackers to obtain sensitive information by reading (1) forbidden pathnames in the revision view, (2) log history that can only be reached by traversing a…
- CVE-2006-5442Oct 21, 2006risk 0.00cvss —epss 0.02
ViewVC 1.0.2 and earlier does not specify a charset in its HTTP headers or HTML documents, which allows remote attackers to conduct cross-site scripting (XSS) attacks that inject arbitrary UTF-7 encoded JavaScript code via a view.
- CVE-2005-4831Dec 31, 2005risk 0.00cvss —epss 0.01
viewcvs in ViewCVS 0.9.2 allows remote attackers to set the Content-Type header to arbitrary values via the content-type parameter, which can be leveraged for cross-site scripting (XSS) and other attacks, as demonstrated using (1) "text/html", or (2) "image/jpeg" with an image…
- CVE-2005-4830Dec 31, 2005risk 0.00cvss —epss 0.02
CRLF injection vulnerability in viewcvs in ViewCVS 0.9.2 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via CRLF sequences in the content-type parameter.
- CVE-2004-0915Jan 10, 2005risk 0.00cvss —epss 0.01
Multiple unknown vulnerabilities in viewcvs before 0.9.2, when exporting a repository as a tar archive, does not properly implement the hide_cvsroot and forbidden settings, which could allow remote attackers to gain sensitive information.
- CVE-2004-1062Dec 28, 2004risk 0.00cvss —epss 0.01
Multiple cross-site scripting (XSS) vulnerabilities in ViewCVS 0.9.2 allow remote attackers to inject arbitrary HTML and web script via certain error messages.