It was discovered that ViewVC is neither sending a charset HTTP header nor specifying a charset in the HTML body. Therefore it is possible to trick several browsers into decoding ViewVC pages UTF-7. This allows attackers to inject arbitrary UTF-7 encoded Java-Script code into the output.
You can download this advisory from the following link: https://packetstormsecurity.com/files/download/51155/ViewVC-1.0.2.txt
Source: https://packetstormsecurity.com/files/51155/ViewVC-1.0.2.txt.html