CVE-2006-5442

Description

ViewVC 1.0.2 and earlier does not specify a charset in its HTTP headers or HTML documents, which allows remote attackers to conduct cross-site scripting (XSS) attacks that inject arbitrary UTF-7 encoded JavaScript code via a view.

How to fix CVE-2006-5442

To remediate CVE-2006-5442, upgrade the affected package to a fixed version below.

• Debian/viewvc—upgrade to 1.0.3-1 or later

Is CVE-2006-5442 being exploited?

Low — EPSS is 1.5%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

• from 0, < 1.0.3-1

References (8)

• ADVISORYsecunia.com/advisories/22395
• ADVISORYwww.hardened-php.net/advisory_102006.134.html
• WEBsecurityreason.com/securityalert/1755
• WEBexchange.xforce.ibmcloud.com/vulnerabilities/29576
• WEB