ViewVC Regular Expression Search Cross Site Scripting Vulnerability

Bugtraq ID:	39053
Class:	Origin Validation Error
CVE:	CVE-2010-0132
Remote:	Yes
Local:	No
Published:	Mar 30 2010 12:00AM
Updated:	Apr 13 2015 08:12PM
Credit:	Discovered by Secunia Research
Vulnerable:	ViewVC ViewVC 1.1.4 ViewVC ViewVC 1.0.10 S.u.S.E. openSUSE 11.1 S.u.S.E. openSUSE 11.0
Not Vulnerable:	ViewVC ViewVC 1.1.5 ViewVC ViewVC 1.0.11

ViewVC Regular Expression Search Cross Site Scripting Vulnerability

ViewVC is prone to a cross-site scripting vulnerability because the application fails to sufficiently sanitize user-supplied data.

An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site and steal cookie-based authentication credentials. Other attacks are also possible.

Versions prior to ViewVC 1.1.5 and 1.0.11 are vulnerable.

ViewVC Regular Expression Search Cross Site Scripting Vulnerability

An attacker can exploit this issue by enticing an unsuspecting victim to follow a malicious URI.

ViewVC Regular Expression Search Cross Site Scripting Vulnerability

Solution:
Updates are available. Please see the references for more information.

ViewVC Regular Expression Search Cross Site Scripting Vulnerability

References:

• Secunia Research: ViewVC Regular Expression Search Cross-Site Scripting (Secunia Research)
  
• ViewVC Changelog (ViewVC)
  
• ViewVC Homepage (ViewVC)
  
• ViewVC Tigris Homepage (ViewVC)