CVE-2014-3994

Published: Jun 16, 2014Modified: May 6, 2026

4.3

Vector

AV:N/AC:M/Au:N/C:N/I:P/A:N

Exploitability: 8.6 / Impact: 2.9

Source: NVD

Description

Cross-site scripting (XSS) vulnerability in util/templatetags/djblets_js.py in Djblets before 0.7.30 and 0.8.x before 0.8.3 for Django, as used in Review Board, allows remote attackers to inject arbitrary web script or HTML via a JSON object, as demonstrated by the name field when changing a user name.

Affected (6)

Products: Reviewboard: Djblets, Reviewboard

2 products

Configuration A

6 vulnerable

Vulnerable Software	Affected Versions
Reviewboard Djblets	Up to 0.7.29
Reviewboard Djblets	Version 0.7.27
Reviewboard Djblets	Version 0.7.28
Reviewboard Djblets	Version 0.8.1
Reviewboard Djblets	Version 0.8.2
Reviewboard Reviewboard	All versions

Related CWEs

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

References (16)

http://seclists.org/oss-sec/2014/q2/494

Source: cve@mitre.org

Third Party AdvisoryVDB Entry

http://seclists.org/oss-sec/2014/q2/498

Source: cve@mitre.org

Third Party AdvisoryVDB Entry

http://secunia.com/advisories/58691

Source: cve@mitre.org

Permissions RequiredThird Party Advisory

http://www.securityfocus.com/bid/67932

Source: cve@mitre.org

Third Party AdvisoryVDB Entry

https://code.google.com/p/reviewboard/issues/detail?id=3406

Source: cve@mitre.org

Not Applicable

https://github.com/djblets/djblets/commit/50000d0bbb983fa8c097b588d06b64df8df483bd

Source: cve@mitre.org

Issue TrackingPatch

https://github.com/djblets/djblets/commit/77a68c03cd619a0996f3f37337b8c39ca6643d6e

Source: cve@mitre.org

ExploitIssue TrackingPatch

https://github.com/djblets/djblets/commit/e2c79117efd925636acd871a5f473512602243cf

Source: cve@mitre.org

Issue TrackingPatch

http://seclists.org/oss-sec/2014/q2/494

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party AdvisoryVDB Entry

http://seclists.org/oss-sec/2014/q2/498

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party AdvisoryVDB Entry

http://secunia.com/advisories/58691

Source: af854a3a-2127-422b-91ae-364da2661108

Permissions RequiredThird Party Advisory

http://www.securityfocus.com/bid/67932

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party AdvisoryVDB Entry

https://code.google.com/p/reviewboard/issues/detail?id=3406

Source: af854a3a-2127-422b-91ae-364da2661108

Not Applicable

https://github.com/djblets/djblets/commit/50000d0bbb983fa8c097b588d06b64df8df483bd

Source: af854a3a-2127-422b-91ae-364da2661108

Issue TrackingPatch

https://github.com/djblets/djblets/commit/77a68c03cd619a0996f3f37337b8c39ca6643d6e

Source: af854a3a-2127-422b-91ae-364da2661108

ExploitIssue TrackingPatch

https://github.com/djblets/djblets/commit/e2c79117efd925636acd871a5f473512602243cf

Source: af854a3a-2127-422b-91ae-364da2661108

Issue TrackingPatch

Timeline

No history available yet.