Several vulnerabilities were found in ViewVC, a web interface for CVS and Subversion repositories. CVE-2009-5024: remote attackers can bypass the cvsdb row_limit configuration setting, and consequently conduct resource-consumption attacks via the limit parameter. CVE-2012-3356: the remote SVN views functionality does not properly perform authorization, which allows remote attackers to bypass intended access restrictions. CVE-2012-3357: the SVN revision view does not properly handle log messages when a readable path is copied from an unreadable path, which allows remote attackers to obtain sensitive information. CVE-2012-4533: "function name" lines returned by diff are not properly escaped, allowing attackers with commit access to perform cross site scripting.