This includes versions: 1.7.22 to 1.7.27
Please upgrade to Version 1.7.27
Inclues the following Vulnerabilities:
Review Board - 1.7.22
An XSS vulnerability was found in the Search field’s auto-complete.
If a user had a first or last name with HTML in it, the HTML would be interpreted by the browser. This allowed crafting short scripts (up to 13 characters in length per field, due to the field length limits).
This release fixes the vulnerability.
The vulnerability was made public on multiple channels, and we decided to fast-track a release in order to allow administrators to quickly patch their systems.
Review Board - 1.7.25
This release requires Django 1.4.11, which was announced today (April 22nd) and fixes a number of security-related issues. We strongly recommend that everyone, particularly those with public installations, upgrade to this release.
Review Board - 1.7.26
This release requires Django 1.4.13, which fixes a small handful of security issues. See Django’s announcement for more information.
Fixed an XSS issue in the diff viewer and file attachments with user real names.
A user could set their real name to text including </script> to take advantage of an XSS bug on the diff viewer and file attachment pages. This is related to the fixes in Djblets 0.7.30 and 0.8.3.
This is CVE-2014-3994 (discovered by “Uchida”).
Review Board - 1.7.27
Fixed a vulnerability where a URL to a diff fragment could be crafted that would inject custom HTML into the page. An attacker could send such a URL to another user and execute code in their browser session.
This was reported by Uchida. A CVE number is pending.
The Original File and Patched File resources could be used to access files on a private review request that the user did not have access to, if they knew the approciate database IDs.
A CVE number is pending.
Cross-site scripting (XSS) vulnerability in Review Board 1.7.x before 1.7.27
and 2.0.x before 2.0.4 allows remote attackers to inject arbitrary web
script or HTML via a query parameter to a diff fragment page.
Cross-site scripting (XSS) vulnerability in util/templatetags/djblets_js.py
in Djblets before 0.7.30 and 0.8.x before 0.8.3 for Django, as used in
Review Board, allows remote attackers to inject arbitrary web script or HTML
via a JSON object, as demonstrated by the name field when changing a user
Please upgrade in bug 522472 to Version 1.7.27 or above.
Maintainer(s), Thank you for your work.
No GLSA needed as there are no stable versions.