CVE-2020-5283: 
Homebrew vulnerability analysis and mitigation

ViewVC before versions 1.1.28 and 1.2.1 contains a Cross-Site Scripting (XSS) vulnerability in the CVS show_subdir_lastmod support feature. The vulnerability was discovered in early 2020 and was assigned CVE-2020-5283. The affected software versions include all ViewVC releases up to version 1.1.27 and version 1.2.0 (GitHub Advisory).

The vulnerability exists in the way ViewVC handles file names when the show_subdir_lastmod feature is enabled. When displaying directory views, ViewVC shows the log message of the most recently modified child along with the child file's name and revision number. However, the child file's name was not properly HTML-escaped before being embedded into the HTML stream, allowing for potential XSS attacks (GitHub Issue). The vulnerability has been assigned a CVSS v3.1 Base Score of 3.5 (Low) with the vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:N (NVD).

The impact of this vulnerability is considered low due to several mitigating factors. An attacker would need commit privileges to a CVS repository exposed by a trusted ViewVC instance that has the show_subdir_lastmod feature enabled. Additionally, the attack requires creating files with unsafe names that can trigger browser code execution when embedded in an HTML stream, which is described as challenging to accomplish (GitHub Advisory).

The vulnerability has been patched in ViewVC versions 1.2.1 and 1.1.28. For users unable to upgrade, three workarounds are available: 1) Remove or rename any maliciously named files in the repository, 2) Disable the show_subdir_lastmod feature in viewvc.conf, or 3) Apply a patch to lib/viewvc.py to properly escape file names using request.server.escape() (GitHub Advisory).