oss-sec mailing list archives

Re: CVE Request -- Review Board: Stored XSS due improper sanitization of user's full name in the reviews dropdown (fixed in upstream v1.7.10, v1.6.17 versions)

From: Kurt Seifried <kseifried () redhat com>
Date: Mon, 24 Jun 2013 09:38:16 -0600

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 06/24/2013 08:46 AM, Jan Lieskovsky wrote:

Hello Kurt, Steve, vendors,

A persistent / stored cross-site scripting (XSS) flaw was found in 
the way reviews dropdown of Review Board, a web-based code review
tool, performed sanitization of certain user information (full
name). A remote attacker could provide a specially-crafted URL
that, when visited would lead to arbitrary HTML or web script
execution in the context of Review Board user's session.

References: [1]
http://www.reviewboard.org/docs/releasenotes/reviewboard/1.7.10/ 
[2]
http://www.reviewboard.org/docs/releasenotes/reviewboard/1.6.17/ 
[3]
http://www.reviewboard.org/news/2013/06/22/review-board-1617-and-1710-released/

[4] https://bugzilla.redhat.com/show_bug.cgi?id=977423


Upstream patch: [5]
https://github.com/reviewboard/reviewboard/commit/4aaacbb1e628a80803ba1a55703db38fccdf7dbf

 Upstream acknowledges Craig Young at Tripwire as the original
issue reporter.

Can you allocate a CVE identifier for this?

Thank you && Regards, Jan. -- Jan iankko Lieskovsky / Red Hat
Security Response Team


Please use CVE-2013-2209 for this issue.

- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)

iQIcBAEBAgAGBQJRyGfoAAoJEBYNRVNeJnmTB8sQANp8mi2I7PKBGxCpb4PSWsDR
QP04iByU0D0xlGZbgGn7SJwws31n3uvWeDUYSTuG0Kvaqyi64rLcmRb2gN3onqzo
eO0+RYQryDl59mjUsIftUjyjL+DJ9fXLs37Zlfb9i0Q1tOCTBKd311vwLXqi+PSl
mQck+lADiac1njdcIx9xTr4Zufg3oJyw9P9QpkC3zAd3WbAQM/S3E7yBNCZLVoBf
LEO8Il/UTo8OoWKcQ+eSSlE2YNwz0ZULrti6iAkK5WClFdmGcg8fHuFokFn2On/+
IVaJYOZk9rhXR+KlPSSDtMf90026gYMP2fb7TpzsNOJYzxj4eERrEW+rFUgVMIMM
+gUbo9p1ML0zSnfBRx9gZPOQ+F2/hQcfbWu2MncqBK3ApvnvPPZgUR3jhNCfu6IQ
Y/j9cU9HK0/EOpIvze/986mMHDu7DBOt61Q3tC72jHx4bP9xnVxqI4LWobqb6GLP
xYlH3QFP+SKpxNA7KWuDQsLSUXU5pEz/lkFi1bcDL7l4rZ326KDTBUsBpG7cOdP5
J5REuW/lubaMrgTTiWS4erBGZhE5T5Und3j9Hh/vyHyJxml9WlEjsrltK6elh37R
RQymb/QLhN29CKZcBJbQlf2cQIS9k13C+WwIlceBxgy0oIe0H6mxp6OqLneCu87w
Dq0IYynHAU/we26y43LG
=F+nO
-----END PGP SIGNATURE-----

Current thread:

CVE Request -- Review Board: Stored XSS due improper sanitization of user's full name in the reviews dropdown (fixed in upstream v1.7.10, v1.6.17 versions) Jan Lieskovsky (Jun 24)
- Re: CVE Request -- Review Board: Stored XSS due improper sanitization of user's full name in the reviews dropdown (fixed in upstream v1.7.10, v1.6.17 versions) Kurt Seifried (Jun 24)