汇总 viewvc 相关全部产品的 CVE 与安全漏洞情报,包括 CVSS、EPSS、公开时间与漏洞情报数据。
常见弱点模式包括 跨站脚本与路径处理缺陷,在 生产负载与软件部署 使用场景中可能带来 会话劫持与文件覆盖 等风险。
相关漏洞数据主要来源于公开漏洞披露与安全公告,可用于评估历史漏洞暴露面与修复优先级。
| CVE | 摘要 | 来源 | 最高 CVSS | EPSS % | 公开时间 | 更新时间 |
|---|---|---|---|---|---|---|
| CVE-2025-54141 | ViewVC is a browser interface for CVS and Subversion version control repositories. In versions 1.1.0 through 1.1.31 and 1.2.0 through 1.2.3, the standalone.py script provided in the ViewVC distribution can expose the contents of the host server's filesystem though a directory traversal-style attack. This is fixed in versions 1.1.31 and 1.2.4. | [email protected] | 7.5 | 0.80% | 2025-07-22 | 2025-08-05 |
| CVE-2023-22464 | ViewVC is a browser interface for CVS and Subversion version control repositories. Versions prior to 1.2.3 and 1.1.30 are vulnerable to cross-site scripting. The impact of this vulnerability is mitigated by the need for an attacker to have commit privileges to a Subversion repository exposed by an otherwise trusted ViewVC instance. The attack vector involves files with unsafe names (names that, when embedded into an HTML stream, would cause the browser to run unwanted code), which themselves can | [email protected] | 5.4 | 0.61% | 2023-01-04 | 2024-11-21 |
| CVE-2023-22456 | ViewVC, a browser interface for CVS and Subversion version control repositories, as a cross-site scripting vulnerability that affects versions prior to 1.2.2 and 1.1.29. The impact of this vulnerability is mitigated by the need for an attacker to have commit privileges to a Subversion repository exposed by an otherwise trusted ViewVC instance. The attack vector involves files with unsafe names (names that, when embedded into an HTML stream, would cause the browser to run unwanted code), which th | [email protected] | 6.1 | 0.53% | 2023-01-03 | 2024-11-21 |
| CVE-2020-5283 | ViewVC before versions 1.1.28 and 1.2.1 has a XSS vulnerability in CVS show_subdir_lastmod support. The impact of this vulnerability is mitigated by the need for an attacker to have commit privileges to a CVS repository exposed by an otherwise trusted ViewVC instance that also has the `show_subdir_lastmod` feature enabled. The attack vector involves files with unsafe names (names that, when embedded into an HTML stream, would cause the browser to run unwanted code), which themselves can be chall | [email protected] | 3.1 | 0.18% | 2020-04-03 | 2024-11-21 |
| CVE-2007-5743 | viewvc 1.0.3 allows improper access control to files in a repository when using the "forbidden" configuration option. | [email protected] | 7.5 | 0.35% | 2019-11-07 | 2024-11-21 |
| CVE-2017-5938 | Cross-site scripting (XSS) vulnerability in the nav_path function in lib/viewvc.py in ViewVC before 1.0.14 and 1.1.x before 1.1.26 allows remote attackers to inject arbitrary web script or HTML via the nav_data name. | [email protected] | 6.1 | 0.63% | 2017-03-15 | 2026-05-13 |
| CVE-2012-4533 | Cross-site scripting (XSS) vulnerability in the "extra" details in the DiffSource._get_row function in lib/viewvc.py in ViewVC 1.0.x before 1.0.13 and 1.1.x before 1.1.16 allows remote authenticated users with repository commit access to inject arbitrary web script or HTML via the "function name" line. | [email protected] | 4.3 | 0.91% | 2012-11-19 | 2026-04-29 |
| CVE-2012-3357 | The SVN revision view (lib/vclib/svn/svn_repos.py) in ViewVC before 1.1.15 does not properly handle log messages when a readable path is copied from an unreadable path, which allows remote attackers to obtain sensitive information, related to a "log msg leak." | [email protected] | 5.0 | 0.70% | 2012-07-22 | 2026-04-29 |
| CVE-2012-3356 | The remote SVN views functionality (lib/vclib/svn/svn_ra.py) in ViewVC before 1.1.15 does not properly perform authorization, which allows remote attackers to bypass intended access restrictions via unspecified vectors. | [email protected] | 5.0 | 0.44% | 2012-07-22 | 2026-04-29 |
| CVE-2009-5024 | ViewVC before 1.1.11 allows remote attackers to bypass the cvsdb row_limit configuration setting, and consequently conduct resource-consumption attacks, via the limit parameter, as demonstrated by a "query revision history" request. | [email protected] | 5.0 | 0.50% | 2011-05-23 | 2026-04-29 |
| CVE-2010-0132 | Cross-site scripting (XSS) vulnerability in ViewVC 1.1 before 1.1.5 and 1.0 before 1.0.11, when the regular expression search functionality is enabled, allows remote attackers to inject arbitrary web script or HTML via vectors related to "search_re input," a different vulnerability than CVE-2010-0736. | [email protected] | 2.6 | 0.60% | 2010-03-31 | 2026-04-29 |
| CVE-2010-0736 | Cross-site scripting (XSS) vulnerability in the view_queryform function in lib/viewvc.py in ViewVC before 1.0.10, and 1.1.x before 1.1.4, allows remote attackers to inject arbitrary web script or HTML via "user-provided input." | [email protected] | 4.3 | 0.29% | 2010-03-19 | 2026-04-29 |
| CVE-2010-0005 | query.py in the query interface in ViewVC before 1.1.3 does not reject configurations that specify an unsupported authorizer for a root, which might allow remote attackers to bypass intended access restrictions via a query. | [email protected] | 7.5 | 0.48% | 2010-01-29 | 2026-04-29 |
| CVE-2010-0004 | ViewVC before 1.1.3 composes the root listing view without using the authorizer for each root, which might allow remote attackers to discover private root names by reading this view. | [email protected] | 5.0 | 0.82% | 2010-01-29 | 2026-04-29 |
| CVE-2009-3619 | Unspecified vulnerability in ViewVC 1.0 before 1.0.9 and 1.1 before 1.1.2 has unknown impact and remote attack vectors related to "printing illegal parameter names and values." | [email protected] | 5.0 | 0.49% | 2009-11-10 | 2026-04-23 |
| CVE-2009-3618 | Cross-site scripting (XSS) vulnerability in viewvc.py in ViewVC 1.0 before 1.0.9 and 1.1 before 1.1.2 allows remote attackers to inject arbitrary web script or HTML via the view parameter. NOTE: some of these details are obtained from third party information. | [email protected] | 4.3 | 0.70% | 2009-11-10 | 2026-04-23 |
| CVE-2008-4325 | lib/viewvc.py in ViewVC 1.0.5 uses the content-type parameter in the HTTP request for the Content-Type header in the HTTP response, which allows remote attackers to cause content to be misinterpreted by the browser via a content-type parameter that is inconsistent with the requested object. NOTE: this issue might not be a vulnerability, since it requires attacker access to the repository that is being viewed. | [email protected] | 5.8 | 0.90% | 2008-09-30 | 2026-04-23 |
| CVE-2008-1292 | ViewVC before 1.0.5 provides revision metadata without properly checking whether access was intended, which allows remote attackers to obtain sensitive information by reading (1) forbidden pathnames in the revision view, (2) log history that can only be reached by traversing a forbidden object, or (3) forbidden diff view path parameters. | [email protected] | 4.3 | 0.72% | 2008-03-24 | 2026-04-23 |
| CVE-2008-1291 | ViewVC before 1.0.5 stores sensitive information under the web root with insufficient access control, which allows remote attackers to read files and list folders under the hidden CVSROOT folder. | [email protected] | 4.3 | 0.66% | 2008-03-24 | 2026-04-23 |
| CVE-2008-1290 | ViewVC before 1.0.5 includes "all-forbidden" files within search results that list CVS or Subversion (SVN) commits, which allows remote attackers to obtain sensitive information. | [email protected] | 4.3 | 0.72% | 2008-03-24 | 2026-04-23 |