CVE-2020-5283

Publication date 3 April 2020

Last updated 24 July 2024


Ubuntu priority

Cvss 3 Severity Score

3.5 · Low

Score breakdown

ViewVC before versions 1.1.28 and 1.2.1 has a XSS vulnerability in CVS show_subdir_lastmod support. The impact of this vulnerability is mitigated by the need for an attacker to have commit privileges to a CVS repository exposed by an otherwise trusted ViewVC instance that also has the `show_subdir_lastmod` feature enabled. The attack vector involves files with unsafe names (names that, when embedded into an HTML stream, would cause the browser to run unwanted code), which themselves can be challenging to create. This vulnerability is patched in versions 1.2.1 and 1.1.28.

Status

Package Ubuntu Release Status
viewvc 24.10 oracular Not in release
24.04 LTS noble Not in release
23.10 mantic Not in release
23.04 lunar Not in release
22.10 kinetic Not in release
22.04 LTS jammy Not in release
21.10 impish Not in release
21.04 hirsute Not in release
20.10 groovy Not in release
20.04 LTS focal Not in release
19.10 eoan Ignored end of life
18.04 LTS bionic
Vulnerable
16.04 LTS xenial
Vulnerable
14.04 LTS trusty Not in release

Severity score breakdown

Parameter Value
Base score 3.5 · Low
Attack vector Network
Attack complexity Low
Privileges required High
User interaction Required
Scope Unchanged
Confidentiality Low
Integrity impact Low
Availability impact None
Vector CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:N