PT-2013-3599 · Beanbag · Review Board

Craig Young

Published

2013-07-31

Updated

2022-05-17

CVE-2013-2209

CVSS v3.1

6.1

Medium

Vector

AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:H/A:N

Name of the Vulnerable Software and Affected Versions Review Board versions 1.6.x through 1.6.16 Review Board versions 1.7.x through 1.7.9

Description A cross-site scripting (XSS) issue exists in the auto-complete widget, allowing remote attackers to inject arbitrary web script or HTML via a full name. This is due to a vulnerability in the htdocs/media/rb/js/reviews.js file.

Recommendations For Review Board versions 1.6.x through 1.6.16, update to version 1.6.17 or later. For Review Board versions 1.7.x through 1.7.9, update to version 1.7.10 or later.

Exploit

Fix

XSS

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-79

Related Identifiers

CVE-2013-2209

GHSA-6G7X-4C7M-G63M

Affected Products

Review Board

PT-2013-3599 · Beanbag · Review Board

CVE-2013-2209

Weakness Enumeration

Related Identifiers

Affected Products

References · 10