CVE-2011-4312: XSS
First published: Tue Nov 15 2011(Updated: )
A cross-site scripting (XSS) flaw was found in the way the commenting system of the ReviewBoard, a web-based code review tool, sanitized user input (new comments to be loaded). A remote attacker could provide a specially-crafted URL, which once visited by valid ReviewBoard user could lead to arbitrary HTML or web script execution in the 'diff viewer' or 'screenshot pages' components. References: [1] <a href="http://www.reviewboard.org/news/">http://www.reviewboard.org/news/</a> [2] <a href="http://www.reviewboard.org/docs/releasenotes/dev/reviewboard/1.6.3/">http://www.reviewboard.org/docs/releasenotes/dev/reviewboard/1.6.3/</a> Relevant upstream patch: [3] <a href="https://github.com/reviewboard/reviewboard/commit/7a0a9d94555502278534dedcf2d75e9fccce8c3d">https://github.com/reviewboard/reviewboard/commit/7a0a9d94555502278534dedcf2d75e9fccce8c3d</a>
Credit: secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Reviewboard Review Board | =1.5.1 | |
| Reviewboard Review Board | =1.5.4 | |
| Reviewboard Review Board | =1.0-rc1 | |
| Reviewboard Review Board | =1.0-alpha3 | |
| Reviewboard Review Board | =1.0.9 | |
| Reviewboard Review Board | =1.0-rc2 | |
| Reviewboard Review Board | =1.5-beta2 | |
| Reviewboard Review Board | =1.5.5 | |
| Reviewboard Review Board | =1.0.5.1 | |
| Reviewboard Review Board | =1.0.3 | |
| Reviewboard Review Board | =1.0-beta1 | |
| Reviewboard Review Board | =1.5.2 | |
| Reviewboard Review Board | =1.5-rc2 | |
| Reviewboard Review Board | =1.0-alpha4 | |
| Reviewboard Review Board | =1.0.8 | |
| Reviewboard Review Board | =1.0.1 | |
| Reviewboard Review Board | =1.6-beta1 | |
| Reviewboard Review Board | =1.6 | |
| Reviewboard Review Board | <=1.5.6 | |
| Reviewboard Review Board | =1.6-rc1 | |
| Reviewboard Review Board | =1.5 | |
| Reviewboard Review Board | =1.0.7 | |
| Reviewboard Review Board | =1.6-beta2 | |
| Reviewboard Review Board | =1.0 | |
| Reviewboard Review Board | =1.0.5 | |
| Reviewboard Review Board | =1.5-beta1 | |
| Reviewboard Review Board | =1.6-rc2 | |
| Reviewboard Review Board | =1.0-beta2 | |
| Reviewboard Review Board | =1.6.1 | |
| Reviewboard Review Board | =1.0-alpha1 | |
| Reviewboard Review Board | =1.1-alpha2 | |
| Reviewboard Review Board | =1.5-rc1 | |
| Reviewboard Review Board | =1.0.6 | |
| Reviewboard Review Board | =1.0.2 | |
| Reviewboard Review Board | =1.1-alpha1 | |
| Reviewboard Review Board | =1.0-alpha2 | |
| Reviewboard Review Board | =1.0-rc3 | |
| Reviewboard Review Board | =1.0.4 | |
| Reviewboard Review Board | =1.6.2 | |
| Reviewboard Review Board | =1.5.3 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://www.reviewboard.org/docs/releasenotes/dev/reviewboard/1.6.3/
- https://github.com/reviewboard/reviewboard/commit/7a0a9d94555502278534dedcf2d75e9fccce8c3d
- https://bugzilla.redhat.com/show_bug.cgi?id=754126
- http://www.openwall.com/lists/oss-security/2011/11/15/8
- http://www.openwall.com/lists/oss-security/2011/11/15/9
- http://secunia.com/advisories/46840
- http://lists.fedoraproject.org/pipermail/package-announce/2011-November/070091.html
- http://www.securityfocus.com/bid/50681
- http://lists.fedoraproject.org/pipermail/package-announce/2011-November/070176.html
- http://www.reviewboard.org/news/
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=754130
- https://access.redhat.com/security/cve/CVE-2011-4312
- collector/nvd-historical
- collector/nvd-index
- agent/type
- agent/softwarecombine
- agent/first-publish-date
- collector/mitre-cve
- source/MITRE
- agent/author
- agent/references
- agent/remedy
- agent/severity
- agent/last-modified-date
- agent/tags
- agent/weakness
- agent/description
- agent/event
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2011-4312
- vendor/reviewboard
- canonical/reviewboard review board
- version/reviewboard review board/1.5.1
- version/reviewboard review board/1.5.4
- version/reviewboard review board/1.0-rc1
- version/reviewboard review board/1.0-alpha3
- version/reviewboard review board/1.0.9
- version/reviewboard review board/1.0-rc2
- version/reviewboard review board/1.5-beta2
- version/reviewboard review board/1.5.5
- version/reviewboard review board/1.0.5.1
- version/reviewboard review board/1.0.3
- version/reviewboard review board/1.0-beta1
- version/reviewboard review board/1.5.2
- version/reviewboard review board/1.5-rc2
- version/reviewboard review board/1.0-alpha4
- version/reviewboard review board/1.0.8
- version/reviewboard review board/1.0.1
- version/reviewboard review board/1.6-beta1
- version/reviewboard review board/1.6
- version/reviewboard review board/1.5.6
- version/reviewboard review board/1.6-rc1
- version/reviewboard review board/1.5
- version/reviewboard review board/1.0.7
- version/reviewboard review board/1.6-beta2
- version/reviewboard review board/1.0
- version/reviewboard review board/1.0.5
- version/reviewboard review board/1.5-beta1
- version/reviewboard review board/1.6-rc2
- version/reviewboard review board/1.0-beta2
- version/reviewboard review board/1.6.1
- version/reviewboard review board/1.0-alpha1
- version/reviewboard review board/1.1-alpha2
- version/reviewboard review board/1.5-rc1
- version/reviewboard review board/1.0.6
- version/reviewboard review board/1.0.2
- version/reviewboard review board/1.1-alpha1
- version/reviewboard review board/1.0-alpha2
- version/reviewboard review board/1.0-rc3
- version/reviewboard review board/1.0.4
- version/reviewboard review board/1.6.2
- version/reviewboard review board/1.5.3