CVE-2023-22464

Name of the Vulnerable Software and Affected Versions ViewVC versions prior to 1.2.3 ViewVC versions prior to 1.1.30

Description ViewVC is a browser interface for CVS and Subversion version control repositories. The impact of this vulnerability is mitigated by the need for an attacker to have commit privileges to a Subversion repository exposed by an otherwise trusted ViewVC instance. The attack vector involves files with unsafe names, which themselves can be challenging to create.

Recommendations For versions prior to 1.2.3, update to at least version 1.2.3. For versions prior to 1.1.30, update to at least version 1.1.30. For ViewVC 1.0.x, edit the ViewVC EZT view templates to manually HTML-escape changed path "copyfrom paths" during rendering by wrapping references to [changes.copy path] with [format "html"] and [end]. This workaround should be reverted after upgrading to a patched version of ViewVC.