Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

nvd логотип

CVE-2023-22456

Опубликовано: 03 янв. 2023
Источник: nvd
CVSS3: 6.1
EPSS Низкий

Описание

ViewVC, a browser interface for CVS and Subversion version control repositories, as a cross-site scripting vulnerability that affects versions prior to 1.2.2 and 1.1.29. The impact of this vulnerability is mitigated by the need for an attacker to have commit privileges to a Subversion repository exposed by an otherwise trusted ViewVC instance. The attack vector involves files with unsafe names (names that, when embedded into an HTML stream, would cause the browser to run unwanted code), which themselves can be challenging to create. Users should update to at least version 1.2.2 (if they are using a 1.2.x version of ViewVC) or 1.1.29 (if they are using a 1.1.x version).

ViewVC 1.0.x is no longer supported, so users of that release lineage should implement a workaround. Users can edit their ViewVC EZT view templates to manually HTML-escape changed paths during rendering. Locate in your template set's revision.ezt file references to those changed paths, and wrap them with `[format "htm

Ссылки

Уязвимые конфигурации

Конфигурация 1

Одно из

cpe:2.3:a:viewvc:viewvc:*:*:*:*:*:*:*:*
Версия до 1.1.29 (исключая)
cpe:2.3:a:viewvc:viewvc:*:*:*:*:*:*:*:*
Версия от 1.2.0 (включая) до 1.2.2 (исключая)

EPSS

Процентиль: 75%
0.00888
Низкий

6.1 Medium

CVSS3

Дефекты

CWE-79

Связанные уязвимости

ubuntu логотип

CVE-2023-22456

CVSS3: 6.1
ubuntu
около 3 лет назад

ViewVC, a browser interface for CVS and Subversion version control repositories, as a cross-site scripting vulnerability that affects versions prior to 1.2.2 and 1.1.29. The impact of this vulnerability is mitigated by the need for an attacker to have commit privileges to a Subversion repository exposed by an otherwise trusted ViewVC instance. The attack vector involves files with unsafe names (names that, when embedded into an HTML stream, would cause the browser to run unwanted code), which themselves can be challenging to create. Users should update to at least version 1.2.2 (if they are using a 1.2.x version of ViewVC) or 1.1.29 (if they are using a 1.1.x version). ViewVC 1.0.x is no longer supported, so users of that release lineage should implement a workaround. Users can edit their ViewVC EZT view templates to manually HTML-escape changed paths during rendering. Locate in your template set's `revision.ezt` file references to those changed paths, and wrap them with `[format "h...

debian логотип

CVE-2023-22456

CVSS3: 6.1
debian
около 3 лет назад

ViewVC, a browser interface for CVS and Subversion version control rep ...

fstec логотип

BDU:2023-07676

CVSS3: 6.1
fstec
около 3 лет назад

Уязвимость системы онлайн-просмотра репозиториев ViewVC, существующая из-за непринятия мер по защите структуры веб-страницы, позволяющая нарушителю провести атаку межсайтового скриптинга (XSS)

EPSS

Процентиль: 75%
0.00888
Низкий

6.1 Medium

CVSS3

Дефекты

CWE-79