Viewvc : Security Vulnerabilities, CVEs, Published In 2008
lib/viewvc.py in ViewVC 1.0.5 uses the content-type parameter in the HTTP request for the Content-Type header in the HTTP response, which allows remote attackers to cause content to be misinterpreted by the browser via a content-type parameter that is inconsistent with the requested object. NOTE: this issue might not be a vulnerability, since it requires attacker access to the repository that is being viewed.
Max CVSS
5.8
EPSS Score
0.95%
Published
2008-09-30
Updated
2010-08-30
ViewVC before 1.0.5 provides revision metadata without properly checking whether access was intended, which allows remote attackers to obtain sensitive information by reading (1) forbidden pathnames in the revision view, (2) log history that can only be reached by traversing a forbidden object, or (3) forbidden diff view path parameters.
Max CVSS
4.3
EPSS Score
0.69%
Published
2008-03-24
Updated
2009-08-20
ViewVC before 1.0.5 stores sensitive information under the web root with insufficient access control, which allows remote attackers to read files and list folders under the hidden CVSROOT folder.
Max CVSS
4.3
EPSS Score
0.55%
Published
2008-03-24
Updated
2009-08-20
ViewVC before 1.0.5 includes "all-forbidden" files within search results that list CVS or Subversion (SVN) commits, which allows remote attackers to obtain sensitive information.
Max CVSS
4.3
EPSS Score
0.69%
Published
2008-03-24
Updated
2009-08-20
4 vulnerabilities found