A vulnerability has been reported in ViewVC, which can be exploited by malicious people to conduct cross-site scripting attacks. Input passed to the "view" parameter in viewvc.py is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected website. NOTE: Additionally, input passed via invalid parameters is returned in a potentially misleading manner. This can be used to e.g. trick users into visiting a malicious site. Solution: Update to version 1.0.9 or 1.1.2. Reproducible: Always
www-apps/viewvc-1.1.2 is now in the tree. Please stabilize www-apps/viewvc-1.1.2.
x86 stable
This bug depends on bug 284971, which already blocks bug 281827. Therefore, this one doesn't need to block 281827 because this bug is unrelated to the 10.0 release.
amd64 stable
ppc stable
sparc stable
CVE-2009-3618 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-3618): Cross-site scripting (XSS) vulnerability in viewvc.py in ViewVC 1.0 before 1.0.9 and 1.1 before 1.1.2 allows remote attackers to inject arbitrary web script or HTML via the view parameter. NOTE: some of these details are obtained from third party information. CVE-2009-3619 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-3619): Unspecified vulnerability in ViewVC 1.0 before 1.0.9 and 1.1 before 1.1.2 has unknown impact and remote attack vectors related to "printing illegal parameter names and values."