CVE-2013-4796
https://notcve.org/view.php?id=CVE-2013-4796
ReviewBoard 1.6.17 allows code execution by attaching PHP scripts to review request ReviewBoard versión 1.6.17, permite una ejecución de código adjuntando scripts PHP en una petición de revisión • http://www.tripwire.com/state-of-security/vulnerability-management/vulnerabilities-its-time-to-review-your-reviewboard https://exchange.xforce.ibmcloud.com/vulnerabilities/86411 • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVE-2013-4411
https://notcve.org/view.php?id=CVE-2013-4411
Review Board: URL processing gives unauthorized users access to review lists Review Board: el procesamiento de URL otorga acceso a usuarios no autorizados en listas de revisión. • http://lists.fedoraproject.org/pipermail/package-announce/2013-November/120619.html http://lists.fedoraproject.org/pipermail/package-announce/2013-October/119819.html http://lists.fedoraproject.org/pipermail/package-announce/2013-October/119820.html http://lists.fedoraproject.org/pipermail/package-announce/2013-October/119830.html http://lists.fedoraproject.org/pipermail/package-announce/2013-October/119831.html http://www.securityfocus.com/bid/63023 https://access.redhat.com/security/cve/cve-2013-4411 https:/& • CWE-863: Incorrect Authorization •
CVE-2013-4410
https://notcve.org/view.php?id=CVE-2013-4410
ReviewBoard: has an access-control problem in REST API ReviewBoard: presenta un problema de control de acceso en la API REST. • http://lists.fedoraproject.org/pipermail/package-announce/2013-November/120619.html http://lists.fedoraproject.org/pipermail/package-announce/2013-October/119819.html http://lists.fedoraproject.org/pipermail/package-announce/2013-October/119820.html http://lists.fedoraproject.org/pipermail/package-announce/2013-October/119830.html http://lists.fedoraproject.org/pipermail/package-announce/2013-October/119831.html http://www.securityfocus.com/bid/63022 https://access.redhat.com/security/cve/cve-2013-4410 https:/& • CWE-863: Incorrect Authorization •
CVE-2014-3994
https://notcve.org/view.php?id=CVE-2014-3994
Cross-site scripting (XSS) vulnerability in util/templatetags/djblets_js.py in Djblets before 0.7.30 and 0.8.x before 0.8.3 for Django, as used in Review Board, allows remote attackers to inject arbitrary web script or HTML via a JSON object, as demonstrated by the name field when changing a user name. Vulnerabilidad de XSS en util/templatetags/djblets_js.py en Djblets anterior a 0.7.30 y 0.8.x anterior a 0.8.3 para Django, utilizado en Review Board, permite a atacantes remotos inyectar secuencias de comandos web o HTML arbitrarios a través de un objeto JSON, tal y como fue demostrado por el campo de nombre cuando se cambia un nombre de usuario. • http://seclists.org/oss-sec/2014/q2/494 http://seclists.org/oss-sec/2014/q2/498 http://secunia.com/advisories/58691 http://www.securityfocus.com/bid/67932 https://code.google.com/p/reviewboard/issues/detail?id=3406 https://github.com/djblets/djblets/commit/50000d0bbb983fa8c097b588d06b64df8df483bd https://github.com/djblets/djblets/commit/77a68c03cd619a0996f3f37337b8c39ca6643d6e https://github.com/djblets/djblets/commit/e2c79117efd925636acd871a5f473512602243cf • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •