ViewVC Invalid Parameter Arbitrary HTML Injection

This script is Copyright (C) 2009-2014 Tenable Network Security, Inc.


Synopsis :

An application running on the remote web server has an HTML injection
vulnerability.

Description :

The version of ViewVC hosted on the remote host is vulnerable to a
HTML injection attack. Requesting a URL with an invalid parameter
name in the query string generates an error message that echoes back
the parameter name. Any URLs included in the invalid parameter name
become hyperlinks. A remote attacker could trick a user into
requesting a malicious URL to facilitate a social engineering attempt.

According to some reports, there is also an unrelated cross-site
scripting issue in this version of ViewVC, though Nessus has not
checked for that.

See also :

http://www.nessus.org/u?846e7b9b
http://www.nessus.org/u?66b6cc34

Solution :

Upgrade to ViewVC 1.0.9 or later.

Risk factor :

Medium / CVSS Base Score : 4.3
(CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N)
CVSS Temporal Score : 3.6
(CVSS2#E:F/RL:OF/RC:C)
Public Exploit Available : true

Family: CGI abuses : XSS

Nessus Plugin ID: 42348 ()

Bugtraq ID: 36035

CVE ID: