CVE-2017-5938

NameCVE-2017-5938
DescriptionCross-site scripting (XSS) vulnerability in the nav_path function in lib/viewvc.py in ViewVC before 1.0.14 and 1.1.x before 1.1.26 allows remote attackers to inject arbitrary web script or HTML via the nav_data name.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SuSE, Mageia, GitHub code/issues, web search, more)
ReferencesDLA-820-1, DSA-3784-1
NVD severitymedium (attack range: remote)
Debian Bugs854681

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
viewvc (PTS)wheezy1.1.5-1.4vulnerable
wheezy (security)1.1.5-1.4+deb7u1fixed
jessie (security), jessie1.1.22-1+deb8u1fixed
buster, sid, stretch1.1.26-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
viewvcsource(unstable)1.1.26-1medium854681
viewvcsourcejessie1.1.22-1+deb8u1mediumDSA-3784-1
viewvcsourcewheezy1.1.5-1.4+deb7u1mediumDLA-820-1

Notes

http://www.openwall.com/lists/oss-security/2017/02/08/7
https://github.com/viewvc/viewvc/commit/9dcfc7daa4c940992920d3b2fbd317da20e44aad

Search for package or bug name: Reporting problems