1## Security Issue History
2
3### [CVE-2002-0771](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0771)
4
5  * **Vulnerable Version(s)**: 0.8 - 0.9.2
6  * **Fixed Version(s)**: 0.9.3
7  * **Issue(s)**:
8  * **Description**: Cross-site scripting vulnerability in `viewcvs.cgi` for ViewCVS 0.9.2 allows remote attackers to inject script and steal cookies via the (1) cvsroot or (2) sortby parameters.
9
10### [CVE-2004-0915](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0915)
11
12  * **Vulnerable Version(s)**: 0.9.2
13  * **Fixed Version(s)**: 0.9.3
14  * **Issue(s)**:
15  * **Description**: Multiple unknown vulnerabilities in viewcvs before 0.9.2, when exporting a repository as a tar archive, does not properly implement the `hide_cvsroot` and `forbidden` settings, which could allow remote attackers to gain sensitive information.
16
17### [CVE-2004-1062](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-1062)
18
19  * **Vulnerable Version(s)**: 0.9.2
20  * **Fixed Version(s)**: 0.9.3
21  * **Issue(s)**:
22  * **Description**: Multiple cross-site scripting (XSS) vulnerabilities in ViewCVS 0.9.2 allow remote attackers to inject arbitrary HTML and web script via certain error messages.
23
24### [CVE-2005-4830](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-4830)
25
26  * **Vulnerable Version(s)**: 0.9.2
27  * **Fixed Version(s)**: 0.9.3
28  * **Issue(s)**:
29  * **Description**: CRLF injection vulnerability in viewcvs in ViewCVS 0.9.2 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via CRLF sequences in the `content-type` parameter.
30
31### [CVE-2005-4831](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-4831)
32
33  * **Vulnerable Version(s)**: 0.9.2 - 0.9.4, 1.0.0 - 1.0.5
34  * **Fixed Version(s)**: 1.0.6
35  * **Issue(s)**: <a href="http://viewvc.tigris.org/issues/show_bug.cgi?id=354">Tigris 354</a>
36  * **Description**: viewcvs in ViewCVS 0.9.2 allows remote attackers to set the Content-Type header to arbitrary values via the `content-type` parameter, which can be leveraged for cross-site scripting (XSS) and other attacks, as demonstrated using (1) "text/html", or (2) "image/jpeg" with an image that is rendered as HTML by Internet Explorer, a different vulnerability than CVE-2004-1062. NOTE: it was later reported that 0.9.4 is also affected.
37
38### [CVE-2006-5442](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-5442)
39
40  * **Vulnerable Version(s)**: 0.9.2 - 0.9.4, 1.0.0 - 1.0.2
41  * **Fixed Version(s)**: 1.0.3
42  * **Issue(s)**:
43  * **Description**: ViewVC 1.0.2 and earlier does not specify a charset in its HTTP headers or HTML documents, which allows remote attackers to conduct cross-site scripting (XSS) attacks that inject arbitrary UTF-7 encoded JavaScript code via a view.
44
45### [CVE-2008-1290](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1290)
46
47  * **Vulnerable Version(s)**: 0.9.2 - 0.9.4, 1.0.0 - 1.0.4
48  * **Fixed Version(s)**: 1.0.5
49  * **Issue(s)**:
50  * **Description**: ViewVC before 1.0.5 includes "all-forbidden" files within search results that list CVS or Subversion (SVN) commits, which allows remote attackers to obtain sensitive information.
51
52### [CVE-2008-1291](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1291)
53
54  * **Vulnerable Version(s)**: 0.9.2 - 0.9.4, 1.0.0 - 1.0.4
55  * **Fixed Version(s)**: 1.0.5
56  * **Issue(s)**:
57  * **Description**: ViewVC before 1.0.5 stores sensitive information under the web root with insufficient access control, which allows remote attackers to read files and list folders under the hidden `CVSROOT` folder.
58
59### [CVE-2008-1292](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1292)
60
61  * **Vulnerable Version(s)**: 0.9.2 - 0.9.4, 1.0.0 - 1.0.4
62  * **Fixed Version(s)**: 1.0.5
63  * **Issue(s)**:
64  * **Description**: ViewVC before 1.0.5 provides revision metadata without properly checking whether access was intended, which allows remote attackers to obtain sensitive information by reading (1) forbidden pathnames in the revision view, (2) log history that can only be reached by traversing a forbidden object, or (3) forbidden diff view path parameters.
65
66### [CVE-2008-4325](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4325)
67
68  * **Vulnerable Version(s)**: 0.9.2 - 0.9.4, 1.0.0 - 1.0.5
69  * **Fixed Version(s)**: 1.0.6
70  * **Issue(s)**: <a href="http://viewvc.tigris.org/issues/show_bug.cgi?id=354">Tigris 354</a>
71  * **Description**: `lib/viewvc.py` in ViewVC 1.0.5 uses the `content-type` parameter in the HTTP request for the Content-Type header in the HTTP response, which allows remote attackers to cause content to be misinterpreted by the browser via a `content-type` parameter that is inconsistent with the requested object. NOTE: this issue might not be a vulnerability, since it requires attacker access to the repository that is being viewed.
72
73### [CVE-2009-3618](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3618)
74
75  * **Vulnerable Version(s)**: 1.0.0 - 1.0.8, 1.1.0 - 1.1.1
76  * **Fixed Version(s)**: 1.0.9, 1.1.2
77  * **Issue(s)**:
78  * **Description**: Cross-site scripting (XSS) vulnerability in viewvc.py in ViewVC 1.0 before 1.0.9 and 1.1 before 1.1.2 allows remote attackers to inject arbitrary web script or HTML via the view parameter. NOTE: Some of these details are obtained from third party information.
79
80### [CVE-2009-3619](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3619)
81
82  * **Vulnerable Version(s)**: 1.0.0 - 1.0.8, 1.1.0 - 1.1.1
83  * **Fixed Version(s)**: 1.0.9, 1.1.2
84  * **Issue(s)**:
85  * **Description**: Unspecified vulnerability in ViewVC 1.0 before 1.0.9 and 1.1 before 1.1.2 has unknown impact and remote attack vectors related to "printing illegal parameter names and values".
86
87### [CVE-2009-5024](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-5024)
88
89  * **Vulnerable Version(s)**: 0.9.2 - 0.9.4, 1.0.0 - 1.0.12, 1.1.0 - 1.1.10
90  * **Fixed Version(s)**: 1.0.13, 1.1.11
91  * **Issue(s)**:
92  * **Description**: ViewVC before 1.1.11 allows remote attackers to bypass the cvsdb `row_limit` configuration setting, and consequently conduct resource-consumption attacks, via the limit parameter, as demonstrated by a "query revision history" request.
93
94### [CVE-2010-0004](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0004)
95
96  * **Vulnerable Version(s)**: 1.1.0 - 1.1.2
97  * **Fixed Version(s)**: 1.1.3
98  * **Issue(s)**:
99  * **Description**: ViewVC before 1.1.3 composes the root listing view without using the authorizer for each root, which might allow remote attackers to discover private root names by reading this view.
100
101### [CVE-2010-0005](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0005)
102
103  * **Vulnerable Version(s)**: 1.1.0 - 1.1.2
104  * **Fixed Version(s)**: 1.1.3
105  * **Issue(s)**:
106  * **Description**: `query.py` in the query interface in ViewVC before 1.1.3 does not reject configurations that specify an unsupported authorizer for a root, which might allow remote attackers to bypass intended access restrictions via a query.
107
108### [CVE-2010-0132](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0132)
109
110  * **Vulnerable Version(s)**: 1.0.0 - 1.0.10, 1.1.0 - 1.1.4
111  * **Fixed Version(s)**: 1.0.11, 1.1.5
112  * **Issue(s)**:
113  * **Description**: Cross-site scripting (XSS) vulnerability in ViewVC 1.1 before 1.1.5 and 1.0 before 1.0.11, when the regular expression search functionality is enabled, allows remote attackers to inject arbitrary web script or HTML via vectors related to "search_re input," a different vulnerability than CVE-2010-0736.
114
115### [CVE-2010-0736](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0736)
116
117  * **Vulnerable Version(s)**: 1.0.0 - 1.0.9, 1.1.0 - 1.1.3
118  * **Fixed Version(s)**: 1.0.10, 1.1.4
119  * **Issue(s)**:
120  * **Description**: Cross-site scripting (XSS) vulnerability in the `view_queryform` function in `lib/viewvc.py` in ViewVC before 1.0.10, and 1.1.x before 1.1.4, allows remote attackers to inject arbitrary web script or HTML via "user-provided input.
121
122### [CVE-2012-3356](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3356)
123
124  * **Vulnerable Version(s)**: 1.1.0 - 1.1.14
125  * **Fixed Version(s)**: 1.1.15
126  * **Issue(s)**:
127  * **Description**: The remote SVN views functionality (`lib/vclib/svn/svn_ra.py`) in ViewVC before 1.1.15 does not properly perform authorization, which allows remote attackers to bypass intended access restrictions via unspecified vectors.
128
129### [CVE-2012-3357](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3357)
130
131  * **Vulnerable Version(s)**: 1.1.0 - 1.1.14
132  * **Fixed Version(s)**: 1.1.15
133  * **Issue(s)**:
134  * **Description**: The SVN revision view (`lib/vclib/svn/svn_repos.py`) in ViewVC before 1.1.15 does not properly handle log messages when a readable path is copied from an unreadable path, which allows remote attackers to obtain sensitive information, related to a "log msg leak.
135
136### [CVE-2012-4533](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4533)
137
138  * **Vulnerable Version(s)**: 1.0.0 - 1.0.12, 1.1.0 - 1.1.15
139  * **Fixed Version(s)**: 1.0.13, 1.1.16
140  * **Issue(s)**: <a href="http://viewvc.tigris.org/issues/show_bug.cgi?id=515">Tigris 515</a>
141  * **Description**: Cross-site scripting (XSS) vulnerability in the "extra" details in the `DiffSource._get_row` function in `lib/viewvc.py` in ViewVC 1.0.x before 1.0.13 and 1.1.x before 1.1.16 allows remote authenticated users with repository commit access to inject arbitrary web script or HTML via the "function name" line.
142
143### [CVE-2020-5283](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-5283)
144
145  * **Vulnerable Version(s)**: 1.0.0 - 1.0.12, 1.1.0 - 1.1.27, 1.2.0
146  * **Fixed Version(s)**: 1.1.28, 1.2.1
147  * **Issue(s)**: <a href="https://github.com/viewvc/viewvc/issues/211">211</a>
148  * **Description**: Cross-site scripting (XSS) vulnerability ViewVC 1.0.x, ViewVC 1.0.x before 1.1.28, and ViewVC 1.2.0, allows remote authenticated users with repository commit access to add versioned files with names that render as web script or HTML via the CVS subdirectory last-modified feature of the directory view.
149
150
151