CVE-2013-2209

Review Board 1.6.x-1.6.16 and 1.7.x-1.7.9 - Cross-Site Scripting via Auto-Complete Widget

Title source: llm

Description

Cross-site scripting (XSS) vulnerability in the auto-complete widget in htdocs/media/rb/js/reviews.js in Review Board 1.6.x before 1.6.17 and 1.7.x before 1.7.10 allows remote attackers to inject arbitrary web script or HTML via a full name.

References (7)

Core 7

Core References

Various Sources x_refsource_misc

http://www.tripwire.com/state-of-security/vulnerability-management/vulnerabilities-its-time-to-review-your-reviewboard

Issue Tracking x_refsource_confirm

https://bugzilla.redhat.com/show_bug.cgi?id=977423

Vendor Advisory x_refsource_confirm

http://www.reviewboard.org/news/2013/06/22/review-board-1617-and-1710-released/

Mailing List mailing-list x_refsource_mlist

http://www.openwall.com/lists/oss-security/2013/06/24/2

Exploit, Patch x_refsource_confirm

https://github.com/reviewboard/reviewboard/commit/4aaacbb1e628a80803ba1a55703db38fccdf7dbf

View Exploit ZIP pw:eip

Various Sources x_refsource_confirm

http://www.reviewboard.org/docs/releasenotes/reviewboard/1.6.17/

Various Sources x_refsource_confirm

http://www.reviewboard.org/docs/releasenotes/reviewboard/1.7.10/

Scores

EPSS 0.0216

EPSS Percentile 79.9%

Details

CWE

CWE-79

Status published

Products (29)

pypi/reviewboard 1.6 - 1.6.17PyPI

reviewboard/review_board 1.6 (5 CPE variants)

reviewboard/review_board 1.6.1

reviewboard/review_board 1.6.2

reviewboard/review_board 1.6.3

reviewboard/review_board 1.6.4

reviewboard/review_board 1.6.5

reviewboard/review_board 1.6.6

reviewboard/review_board 1.6.7

reviewboard/review_board 1.6.8

... and 19 more

Published Jul 31, 2013

Tracked Since Feb 18, 2026