CVE-2020-5283 LOW

CVE-2020-5283: XSS vulnerability in CVS show_subdir_lastmod support

Vendor Viewvc
Product viewvc
Weakness CWE-80 · XSS · basic
Published April 3, 2020
Last update August 4, 2024

CVSS base score

3.1/10
Attack vector Network
Attack complexity High
Privileges required High
User interaction Required
Confidentiality Low
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:N

What the vulnerability does

01Description

ViewVC before versions 1.1.28 and 1.2.1 has a XSS vulnerability in CVS show_subdir_lastmod support. The impact of this vulnerability is mitigated by the need for an attacker to have commit privileges to a CVS repository exposed by an otherwise trusted ViewVC instance that also has the `show_subdir_lastmod` feature enabled. The attack vector involves files with unsafe names (names that, when embedded into an HTML stream, would cause the browser to run unwanted code), which themselves can be challenging to create. This vulnerability is patched in versions 1.2.1 and 1.1.28.

Key dates

02Disclosure timeline

April 3, 2020 CVE published
August 4, 2024 Record updated