ViewVC does not properly escape the names of versioned directories and files before making them available for use via its nav_path HTML template variables. These variables are used in ViewVC's default templates, and would likely be used in folks' customized templates, too. A user with commit privileges to the repository could introduce a versioned directory or file with a name that contains an executable script (e.g., <img src="#" onerror="alert(1)">), and the script would be evaluated upon a user's navigation (via web browser) to ViewVC's view of that directory or file.
The text was updated successfully, but these errors were encountered:
ViewVC does not properly escape the names of versioned directories and files before making them available for use via its
nav_pathHTML template variables. These variables are used in ViewVC's default templates, and would likely be used in folks' customized templates, too. A user with commit privileges to the repository could introduce a versioned directory or file with a name that contains an executable script (e.g.,<img src="#" onerror="alert(1)">), and the script would be evaluated upon a user's navigation (via web browser) to ViewVC's view of that directory or file.The text was updated successfully, but these errors were encountered: