bonsai Mozilla CVS query tool leaks the absolute pathname of the tool in certain error messages generated by (1) cvslog.cgi, (2) cvsview2.cgi, or (3) multidiff.cgi.
https://exchange.xforce.ibmcloud.com/vulnerabilities/9921
http://www.securityfocus.com/bid/5517
http://www.debian.org/security/2003/dsa-265