VDB
CVE-2020-5283
CVE-2020-5283
PUBLISHED
ViewVC before versions 1.1.28 and 1.2.1 has a XSS vulnerability in CVS show_subdir_lastmod support. The impact of this vulnerability is mitigated by the need for an attacker to have commit privileges to a CVS repository exposed by an otherwise trusted ViewVC instance that also has the `show_subdir_lastmod` feature enabled. The attack vector involves files with unsafe names (names that, when embedded into an HTML stream, would cause the browser to run unwanted code), which themselves can be challenging to create. This vulnerability is patched in versions 1.2.1 and 1.1.28.
EPSS 0.18% · 39.2th percentile
Risk Scores
EPSS Score
0.18%
39.2th percentile
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Ubuntu:16.04:LTS | viewvc | 0, 1.1.22-1+deb8u1build0.16.04.1, 1.1.22-1 |
| Ubuntu:18.04:LTS | viewvc | 0, 1.1.26-1 |
Exploit Intelligence
Timeline
- Apr 3, 2020 CVE Published
- Apr 14, 2021 EPSS Score
- Jun 23, 2021 EPSS Score
- Aug 24, 2021 EPSS Score
- Oct 26, 2021 EPSS Score
- Jan 6, 2022 EPSS Score
- Feb 4, 2022 EPSS Score
- Feb 28, 2022 EPSS Score
- Apr 1, 2022 EPSS Score
- May 1, 2022 EPSS Score
- Jul 3, 2022 EPSS Score
- Sep 4, 2022 EPSS Score
References
- https://ubuntu.com/security/CVE-2020-5283 third-party-advisory
- https://github.com/viewvc/viewvc/security/advisories/GHSA-xpxf-fvqv-7mfg third-party-advisory
- https://github.com/viewvc/viewvc/commit/ad0f966e9a997b17d853a6972ea283d4dcd70fa8 third-party-advisory
- https://github.com/viewvc/viewvc/issues/211 third-party-advisory
- https://www.cve.org/CVERecord?id=CVE-2020-5283 third-party-advisory