CVE-2017-5938 — Cross-site Scripting in Viewvc

CWE-79 — Cross-site Scripting4 documents4 sources

Severity

6.1MEDIUMNVD

EPSS

0.6%

top 29.65%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Viewvc Debian Linux Opensuse Leap +1 more

Timeline

PublishedMar 15

Latest updateMay 14

Description

Cross-site scripting (XSS) vulnerability in the nav_path function in lib/viewvc.py in ViewVC before 1.0.14 and 1.1.x before 1.1.26 allows remote attackers to inject arbitrary web script or HTML via the nav_data name.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.7

Affected Packages4 packages

▶Ubuntuviewvc/viewvc< 1.1.5-1.4+deb7u1build0.14.04.1+1

▶NVDviewvc/viewvc1.1.25

▶NVDopensuse/leap42.2

▶NVDopensuse_project/leap42.1

Also affects: Debian Linux 8.0

Patches

Patch: www.openwall.com ↗Patch: github.com ↗Patch: www.openwall.com ↗

🔴Vulnerability Details

GHSA

GHSA-3h2f-w6h5-7wr8: Cross-site scripting (XSS) vulnerability in the nav_path function in lib/viewvc↗2022-05-14

▶

CVEList

CVE-2017-5938: Cross-site scripting (XSS) vulnerability in the nav_path function in lib/viewvc↗2017-03-15

▶

OSV

CVE-2017-5938: Cross-site scripting (XSS) vulnerability in the nav_path function in lib/viewvc↗2017-03-15

▶