DSA-2563-1 viewvc -- severalID: oval:org.secpod.oval:def:600903 | Date: (C)2012-10-26 (M)2023-11-09 |
Class: PATCH | Family: unix |
Several vulnerabilities were found in ViewVC, a web interface for CVS and Subversion repositories. CVE-2009-5024: remote attackers can bypass the cvsdb row_limit configuration setting, and consequently conduct resource-consumption attacks via the limit parameter. CVE-2012-3356: the remote SVN views functionality does not properly perform authorization, which allows remote attackers to bypass intended access restrictions. CVE-2012-3357: the SVN revision view does not properly handle log messages when a readable path is copied from an unreadable path, which allows remote attackers to obtain sensitive information. CVE-2012-4533: "function name" lines returned by diff are not properly escaped, allowing attackers with commit access to perform cross site scripting.