ViewVC UTF-7 Charset Unspecified HTML Injection Vulnerability

ViewVC is prone to a HTML-injection vulnerability because of it fails to specify a charset in the HTML body or the HTTP header.

Exploiting this issue could allow an attacker to execute attacker-supplied script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks.

ViewVC 1.0.2 and prior versions are vulnerable; other versions may also be affected.


Privacy Statement
Copyright 2010, SecurityFocus