Closed
Description
ViewVC does not properly escape the names of versioned directories and files before making them available for use via its nav_path HTML template variables. These variables are used in ViewVC's default templates, and would likely be used in folks' customized templates, too. A user with commit privileges to the repository could introduce a versioned directory or file with a name that contains an executable script (e.g., <img src="#" onerror="alert(1)">), and the script would be evaluated upon a user's navigation (via web browser) to ViewVC's view of that directory or file.