ViewCVS: cross-site scripting bug I found the following cross-site scripting vulnerability in ViewCVS: Details ------------ Product: ViewCVS Affected Version: 0.9.2 and under it Vendor's URL: http://viewcvs.sourceforge.net/ Vendor Status: Informed. And they already fixed it only in their team. But nothing has been published. Introduction ------------ ViewCVS is a WWW interface for CVS Repositories. It is widely used in freesoft community and open source community. Unfortunately, it has the vulnerability of cross-site scripting. Proof ----------------- If you access to the URL like; http://target_site/cgi-bin/viewcvs.cgi/viewcvs/?cvsroot=