ViewVC is prone to these security vulnerabilities: - A cross-site scripting vulnerability. - An unspecified security vulnerability that may allow attackers to print illegal parameter names and values. An attacker may leverage theses issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site and steal cookie-based authentication credentials. Other attacks are also possible. Versions prior to ViewVC 1.0.9 are vulnerable.

Vendor updates are available. Please see the references for details.

• http://viewvc.tigris.org/
• http://viewvc.tigris.org/source/browse/viewvc/trunk/CHANGES?rev=HEAD
• http://www.securityfocus.com/bid/36035

---

Updated on 2015-03-25