CVE-2006-5442 - ViewVC 1.0.2 and earlier does not specify a charset in its HTTP headers or HTML documents, which all

CVE-2006-5442

Summary

ViewVC 1.0.2 and earlier does not specify a charset in its HTTP headers or HTML documents, which allows remote attackers to conduct cross-site scripting (XSS) attacks that inject arbitrary UTF-7 encoded JavaScript code via a view.

References

Vulnerable Configurations

cpe:2.3:a:viewvc:viewvc:0.3.0:*:*:*:*:*:*:*
cpe:2.3:a:viewvc:viewvc:0.3.0:*:*:*:*:*:*:*
cpe:2.3:a:viewvc:viewvc:0.4.0:*:*:*:*:*:*:*
cpe:2.3:a:viewvc:viewvc:0.4.0:*:*:*:*:*:*:*
cpe:2.3:a:viewvc:viewvc:0.5.0:*:*:*:*:*:*:*
cpe:2.3:a:viewvc:viewvc:0.5.0:*:*:*:*:*:*:*
cpe:2.3:a:viewvc:viewvc:0.6.0:*:*:*:*:*:*:*
cpe:2.3:a:viewvc:viewvc:0.6.0:*:*:*:*:*:*:*
cpe:2.3:a:viewvc:viewvc:0.7.0:*:*:*:*:*:*:*
cpe:2.3:a:viewvc:viewvc:0.7.0:*:*:*:*:*:*:*
cpe:2.3:a:viewvc:viewvc:0.8:*:*:*:*:*:*:*
cpe:2.3:a:viewvc:viewvc:0.8:*:*:*:*:*:*:*
cpe:2.3:a:viewvc:viewvc:0.9:*:*:*:*:*:*:*
cpe:2.3:a:viewvc:viewvc:0.9:*:*:*:*:*:*:*
cpe:2.3:a:viewvc:viewvc:0.9.1:*:*:*:*:*:*:*
cpe:2.3:a:viewvc:viewvc:0.9.1:*:*:*:*:*:*:*
cpe:2.3:a:viewvc:viewvc:0.9.2:*:*:*:*:*:*:*
cpe:2.3:a:viewvc:viewvc:0.9.2:*:*:*:*:*:*:*
cpe:2.3:a:viewvc:viewvc:0.9.3:*:*:*:*:*:*:*
cpe:2.3:a:viewvc:viewvc:0.9.3:*:*:*:*:*:*:*
cpe:2.3:a:viewvc:viewvc:0.9.4:*:*:*:*:*:*:*
cpe:2.3:a:viewvc:viewvc:0.9.4:*:*:*:*:*:*:*
cpe:2.3:a:viewvc:viewvc:1.0.0:*:*:*:*:*:*:*
cpe:2.3:a:viewvc:viewvc:1.0.0:*:*:*:*:*:*:*
cpe:2.3:a:viewvc:viewvc:1.0.0:-:*:*:*:*:*:*
cpe:2.3:a:viewvc:viewvc:1.0.0:-:*:*:*:*:*:*
cpe:2.3:a:viewvc:viewvc:1.0.0:rc1:*:*:*:*:*:*
cpe:2.3:a:viewvc:viewvc:1.0.0:rc1:*:*:*:*:*:*
cpe:2.3:a:viewvc:viewvc:1.0.1:*:*:*:*:*:*:*
cpe:2.3:a:viewvc:viewvc:1.0.1:*:*:*:*:*:*:*
cpe:2.3:a:viewvc:viewvc:1.0.2:*:*:*:*:*:*:*
cpe:2.3:a:viewvc:viewvc:1.0.2:*:*:*:*:*:*:*

CVSS

Base:	6.8 (as of 17-10-2018 - 21:42)
Impact:
Exploitability:

CWE

NVD-CWE-Other

CAPEC

Access

Vector	Complexity	Authentication
NETWORK	MEDIUM	NONE

Impact

Confidentiality	Integrity	Availability
PARTIAL	PARTIAL	PARTIAL

cvss-vector via4

AV:N/AC:M/Au:N/C:P/I:P/A:P

refmap via4

bid	20543
bugtraq	20061015 Advisory 10/2006: ViewVC Undefined Charset UTF-7 XSS Vulnerability
confirm	http://viewvc.tigris.org/source/browse/viewvc/trunk/CHANGES?rev=HEAD
misc	http://www.hardened-php.net/advisory_102006.134.html
mlist	[announce] 20061013 ViewVC 1.0.3 released [SECURITY FIXES]
secunia	22395
sreason	1755
xf	viewvc-utf7-xss(29576)

Last major update

17-10-2018 - 21:42

Published

21-10-2006 - 00:07

Last modified

17-10-2018 - 21:42