CVE-2017-5938

NameCVE-2017-5938
DescriptionCross-site scripting (XSS) vulnerability in the nav_path function in lib/viewvc.py in ViewVC before 1.0.14 and 1.1.x before 1.1.26 allows remote attackers to inject arbitrary web script or HTML via the nav_data name.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDLA-820-1, DSA-3784-1
Debian Bugs854681

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
viewvc (PTS)jessie, jessie (lts)1.1.22-1+deb8u1fixed
stretch (lts), stretch1.1.26-1+deb9u1fixed
buster (security), buster, buster (lts)1.1.26-1+deb10u1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
viewvcsourcewheezy1.1.5-1.4+deb7u1DLA-820-1
viewvcsourcejessie1.1.22-1+deb8u1DSA-3784-1
viewvcsource(unstable)1.1.26-1854681

Notes

https://www.openwall.com/lists/oss-security/2017/02/08/7
https://github.com/viewvc/viewvc/commit/9dcfc7daa4c940992920d3b2fbd317da20e44aad
Search for package or bug name: Reporting problems