| VID |
21452 |
| Severity |
30 |
| Port |
80, ... |
| Protocol |
TCP |
| Class |
CGI |
| Detailed Description |
The ViewCVS, according to its version number, has an input validation vulnerability, allowing for cross-site scripting and HTTP response splitting attacks. ViewCVS is a Web browser interface written in the Python programming language for CVS and Subversion version control repositories. ViewCVS versions prior to 1.0.0 is vulnerable to cross-site scripting and HTTP response splitting attacks. A remote attacker may launch cross-site scripting or HTTP response splitting attacks by enticing a victim user to follow a malicious link. This may allow for theft of cookie-based authentication credentials or other attacks.
* Note: This check solely relied on the version number of the remote ViewCVS software to assess this vulnerability, so this might be a false positive.
* References:
http://www.securityfocus.com/advisories/7729
* Platforms Affected:
Greg Stein, ViewCVS versions prior to 1.0.0
Linux Any version
Unix Any version
Microsoft Windows Any version |
| Recommendation |
Upgrade to the latest version of ViewCVS (1.0.0 or later), available from the ViewCVS Project Page at http://viewcvs.sourceforge.net/ |
| Related URL |
CVE-2004-1062 (CVE) |
| Related URL |
12112 (SecurityFocus) |
| Related URL |
18718 (ISS) |
|
