This script is Copyright (C) 2009-2012 Tenable Network Security, Inc.
An application running on the remote web server has an HTML injection
The version of ViewVC hosted on the remote host is vulnerable to a
HTML injection attack. Requesting a URL with an invalid parameter
name in the query string generates an error message that echoes back
the parameter name. Any URLs included in the invalid parameter name
become hyperlinks. A remote attacker could trick a user into
requesting a malicious URL to facilitate a social engineering attempt.
According to some reports, there is also an unrelated cross-site
scripting issue in this version of ViewVC, though Nessus has not
checked for that.
See also :
Upgrade to ViewVC 1.0.9 or later.
Risk factor :
Medium / CVSS Base Score : 4.3
CVSS Temporal Score : 3.6
Public Exploit Available : true
Family: CGI abuses : XSS
Nessus Plugin ID: 42348 ()
Bugtraq ID: 36035