Stored cross-site scripting in ViewVC - CVE-2023-22464

 

Stored cross-site scripting in ViewVC - CVE-2023-22464

Published: January 4, 2023


Vulnerability identifier: #VU70698
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear
CVE-ID: CVE-2023-22464
CWE-ID: CWE-79
Exploitation vector: Remote access
Exploit availability: No public exploit available
Vendor: ViewVC
Affected software:
ViewVC

Detailed vulnerability description

The disclosed vulnerability allows a remote user to perform cross-site scripting (XSS) attacks.

The vulnerability exists due to insufficient sanitization of user-supplied data in revision view changed path "copyfrom" locations. A remote user with commit privileges to a Subversion repository exposed by an otherwise trusted ViewVC instance can permanently inject and execute arbitrary HTML and script code in user's browser in context of vulnerable website.


How to mitigate CVE-2023-22464

Install updates from vendor's website.

Sources