CVE-2020-5283
Summary
| CVE | CVE-2020-5283 |
|---|---|
| State | PUBLIC |
| Assigner | [email protected] |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2020-04-03 00:15:00 UTC |
| Updated | 2023-11-07 03:23:00 UTC |
| Description | ViewVC before versions 1.1.28 and 1.2.1 has a XSS vulnerability in CVS show_subdir_lastmod support. The impact of this vulnerability is mitigated by the need for an attacker to have commit privileges to a CVS repository exposed by an otherwise trusted ViewVC instance that also has the `show_subdir_lastmod` feature enabled. The attack vector involves files with unsafe names (names that, when embedded into an HTML stream, would cause the browser to run unwanted code), which themselves can be challenging to create. This vulnerability is patched in versions 1.2.1 and 1.1.28. |
Risk And Classification
Problem Types: CWE-79
NVD Known Affected Configurations (CPE 2.3)
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| issue #211: escape CVS subdir last-modified file name · viewvc/viewvc@ad0f966 · GitHub | MISC | github.com | Patch, Third Party Advisory |
| [SECURITY] Fedora 30 Update: viewvc-1.1.28-1.fc30 - package-announce - Fedora Mailing-Lists | FEDORA | lists.fedoraproject.org | |
| XSS vulnerability: CVS lastlog filename not escaped · Issue #211 · viewvc/viewvc · GitHub | MISC | github.com | Exploit, Issue Tracking, Third Party Advisory |
| [SECURITY] Fedora 30 Update: viewvc-1.1.28-1.fc30 - package-announce - Fedora Mailing-Lists | lists.fedoraproject.org | ||
| XSS vulnerability in CVS show_subdir_lastmod support · Advisory · viewvc/viewvc · GitHub | CONFIRM | github.com | Mitigation, Patch, Third Party Advisory |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
No vendor comments have been submitted for this CVE.