ViewVC prior 1.1.29/1.2.2 Revision View cross site scripting

Summaryinfo

A vulnerability identified as problematic has been detected in ViewVC. This vulnerability affects unknown code of the component Revision View. This manipulation causes cross site scripting. This vulnerability is handled as CVE-2023-22456. The attack can be initiated remotely. There is not any exploit available. You should upgrade the affected component.

Detailsinfo

A vulnerability was found in ViewVC. It has been declared as problematic. Affected by this vulnerability is some unknown functionality of the component Revision View. The manipulation with an unknown input leads to a cross site scripting vulnerability. The CWE definition for the vulnerability is CWE-80. The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special characters such as "<", ">", and "&" that could be interpreted as web-scripting elements when they are sent to a downstream component that processes web pages. As an impact it is known to affect integrity. The summary by CVE is:

ViewVC, a browser interface for CVS and Subversion version control repositories, as a cross-site scripting vulnerability that affects versions prior to 1.2.2 and 1.1.29. The impact of this vulnerability is mitigated by the need for an attacker to have commit privileges to a Subversion repository exposed by an otherwise trusted ViewVC instance. The attack vector involves files with unsafe names (names that, when embedded into an HTML stream, would cause the browser to run unwanted code), which themselves can be challenging to create. Users should update to at least version 1.2.2 (if they are using a 1.2.x version of ViewVC) or 1.1.29 (if they are using a 1.1.x version). ViewVC 1.0.x is no longer supported, so users of that release lineage should implement a workaround. Users can edit their ViewVC EZT view templates to manually HTML-escape changed paths during rendering. Locate in your template set's `revision.ezt` file references to those changed paths, and wrap them with `[format "html"]` and `[end]`. For most users, that means that references to `[changes.path]` will become `[format "html"][changes.path][end]`. (This workaround should be reverted after upgrading to a patched version of ViewVC, else changed path names will be doubly escaped.)

The weakness was released 04/22/2023 as 311. It is possible to read the advisory at github.com. This vulnerability is known as CVE-2023-22456 since 12/29/2022. It demands that the victim is doing some kind of user interaction. The technical details are unknown and an exploit is not publicly available. The attack technique deployed by this issue is T1059.007 according to MITRE ATT&CK.

The vulnerability scanner Nessus provides a plugin with the ID 261452 (Linux Distros Unpatched Vulnerability : CVE-2023-22456), which helps to determine the existence of the flaw in a target environment.

Upgrading to version 1.1.29 or 1.2.2 eliminates this vulnerability. The upgrade is hosted for download at github.com.

The vulnerability is also documented in the vulnerability database at Tenable (261452). Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.

Productinfo

Name

• ViewVC

Website

• Product: https://github.com/viewvc/viewvc/

CPE 2.3info

• 🔍

CPE 2.2info

• 🔍

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.

Discussion