Description Yury German 2014-07-27 03:14:57 UTC

This includes versions: 1.7.22 to 1.7.27

Please upgrade to Version 1.7.27

Inclues the following Vulnerabilities:

Review Board - 1.7.22
An XSS vulnerability was found in the Search field’s auto-complete.

If a user had a first or last name with HTML in it, the HTML would be interpreted by the browser. This allowed crafting short scripts (up to 13 characters in length per field, due to the field length limits).

This release fixes the vulnerability.

The vulnerability was made public on multiple channels, and we decided to fast-track a release in order to allow administrators to quickly patch their systems.

---

Review Board - 1.7.25

This release requires Django 1.4.11, which was announced today (April 22nd) and fixes a number of security-related issues. We strongly recommend that everyone, particularly those with public installations, upgrade to this release.

---

Review Board - 1.7.26
This release requires Django 1.4.13, which fixes a small handful of security issues. See Django’s announcement for more information.


Fixed an XSS issue in the diff viewer and file attachments with user real names.
A user could set their real name to text including </script> to take advantage of an XSS bug on the diff viewer and file attachment pages. This is related to the fixes in Djblets 0.7.30 and 0.8.3.

This is CVE-2014-3994 (discovered by “Uchida”).

---

Review Board - 1.7.27
Fixed a vulnerability where a URL to a diff fragment could be crafted that would inject custom HTML into the page. An attacker could send such a URL to another user and execute code in their browser session.

This was reported by Uchida. A CVE number is pending.


The Original File and Patched File resources could be used to access files on a private review request that the user did not have access to, if they knew the approciate database IDs.

A CVE number is pending.