CVE-2008-4325

Description

lib/viewvc.py in ViewVC 1.0.5 uses the content-type parameter in the HTTP request for the Content-Type header in the HTTP response, which allows remote attackers to cause content to be misinterpreted by the browser via a content-type parameter that is inconsistent with the requested object. NOTE: this issue might not be a vulnerability, since it requires attacker access to the repository that is being viewed.

How to fix CVE-2008-4325

To remediate CVE-2008-4325, upgrade the affected package to a fixed version below.

• Debian/viewvc—upgrade to 1.0.9-1 or later

Is CVE-2008-4325 being exploited?

Low — EPSS is 0.9%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

• from 0, < 1.0.9-1

References (7)

• PATCHviewvc.tigris.org/issues/show_bug.cgi?id=354
• WEBwww.redhat.com/archives/fedora-package-announce/2008-September/msg01101.html
• WEBwww.redhat.com/archives/fedora-package-announce/2008-September/msg01142.html
• WEBviewvc.tigris.org/source/browse/viewvc?rev=1978&view=rev