CVE-2023-22456

Name of the Vulnerable Software and Affected Versions ViewVC versions prior to 1.2.2 ViewVC versions prior to 1.1.29

Description The issue is a cross-site scripting vulnerability that affects ViewVC, a browser interface for CVS and Subversion version control repositories. The impact of this vulnerability is mitigated by the need for an attacker to have commit privileges to a Subversion repository exposed by an otherwise trusted ViewVC instance. The attack vector involves files with unsafe names, which themselves can be challenging to create.

Recommendations For versions prior to 1.2.2, update to at least version 1.2.2. For versions prior to 1.1.29, update to at least version 1.1.29. For ViewVC 1.0.x, edit the ViewVC EZT view templates to manually HTML-escape changed paths during rendering by wrapping references to changed paths with [format "html"] and [end]. For most users, this means changing [changes.path] to [format "html"][changes.path][end]. This workaround should be reverted after upgrading to a patched version of ViewVC.