CVE-2006-6386

Name of the Vulnerable Software and Affected Versions CVS management/tracker versions 4.7.x-1.0 through 4.7.x-2.0 CVS management/tracker version 4.7.0

Description The issue allows remote attackers to inject arbitrary web script or HTML via the motivation field in the CVS application page. This occurs because the field is not passed through check markup on display, enabling cross-site scripting (XSS).

Recommendations For versions 4.7.x-1.0 through 4.7.x-2.0, update to a version that includes the 20060807 contribution release system. For version 4.7.0, update to a version that includes the 20060807 contribution release system. As a temporary workaround, consider restricting access to the CVS application page to minimize the risk of exploitation.