Vulnerability Details : CVE-2011-4312
Multiple cross-site scripting (XSS) vulnerabilities in the commenting system in Review Board before 1.5.7 and 1.6.x before 1.6.3 allow remote attackers to inject arbitrary web script or HTML via vectors involving the (1) diff viewer or (2) screenshot component.
Vulnerability category: Cross site scripting (XSS)
Exploit prediction scoring system (EPSS) score for CVE-2011-4312
Probability of exploitation activity in the next 30 days: 0.31%
Percentile, the proportion of vulnerabilities that are scored at or less: ~ 66 % EPSS Score History EPSS FAQ
CVSS scores for CVE-2011-4312
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source |
---|---|---|---|---|---|
4.3
|
MEDIUM | AV:N/AC:M/Au:N/C:N/I:P/A:N |
8.6
|
2.9
|
NIST |
CWE ids for CVE-2011-4312
-
The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.Assigned by: nvd@nist.gov (Primary)
References for CVE-2011-4312
-
http://www.reviewboard.org/docs/releasenotes/dev/reviewboard/1.6.3/
Review Board 1.6.3 Release Notes | Documentation | Review Board
-
https://bugzilla.redhat.com/show_bug.cgi?id=754126
754126 – (CVE-2011-4312) CVE-2011-4312 ReviewBoard: XSS in the commenting system (diff viewer and screenshot pages)
-
http://www.securityfocus.com/bid/50681
ReviewBoard Commenting System Cross Site Scripting Vulnerability
-
http://lists.fedoraproject.org/pipermail/package-announce/2011-November/070091.html
[SECURITY] Fedora 15 Update: ReviewBoard-1.5.7-1.fc15
-
http://www.openwall.com/lists/oss-security/2011/11/15/9
oss-security - Re: CVE Request -- ReviewBoard v1.5.7 && v1.6.3 -- XSS in the commenting system (diff viewer and screenshot pages components)
-
https://github.com/reviewboard/reviewboard/commit/7a0a9d94555502278534dedcf2d75e9fccce8c3d
Fix a comment vulnerability allowing scripts to be loaded. · reviewboard/reviewboard@7a0a9d9 · GitHubPatch
-
http://www.openwall.com/lists/oss-security/2011/11/15/8
oss-security - CVE Request -- ReviewBoard v1.5.7 && v1.6.3 -- XSS in the commenting system (diff viewer and screenshot pages components)
-
http://lists.fedoraproject.org/pipermail/package-announce/2011-November/070176.html
[SECURITY] Fedora 16 Update: ReviewBoard-1.6.3-1.fc16
Products affected by CVE-2011-4312
- cpe:2.3:a:reviewboard:review_board:*:*:*:*:*:*:*:*
- cpe:2.3:a:reviewboard:review_board:1.5.5:*:*:*:*:*:*:*
- cpe:2.3:a:reviewboard:review_board:1.5:rc1:*:*:*:*:*:*
- cpe:2.3:a:reviewboard:review_board:1.5:beta2:*:*:*:*:*:*
- cpe:2.3:a:reviewboard:review_board:1.0.9:*:*:*:*:*:*:*
- cpe:2.3:a:reviewboard:review_board:1.0.8:*:*:*:*:*:*:*
- cpe:2.3:a:reviewboard:review_board:1.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:reviewboard:review_board:1.0:*:*:*:*:*:*:*
- cpe:2.3:a:reviewboard:review_board:1.0:alpha4:*:*:*:*:*:*
- cpe:2.3:a:reviewboard:review_board:1.0:alpha3:*:*:*:*:*:*
- cpe:2.3:a:reviewboard:review_board:1.5.4:*:*:*:*:*:*:*
- cpe:2.3:a:reviewboard:review_board:1.5.3:*:*:*:*:*:*:*
- cpe:2.3:a:reviewboard:review_board:1.5:beta1:*:*:*:*:*:*
- cpe:2.3:a:reviewboard:review_board:1.1:alpha2:*:*:*:*:*:*
- cpe:2.3:a:reviewboard:review_board:1.0.7:*:*:*:*:*:*:*
- cpe:2.3:a:reviewboard:review_board:1.0.6:*:*:*:*:*:*:*
- cpe:2.3:a:reviewboard:review_board:1.0.5.1:*:*:*:*:*:*:*
- cpe:2.3:a:reviewboard:review_board:1.0:rc3:*:*:*:*:*:*
- cpe:2.3:a:reviewboard:review_board:1.0:alpha2:*:*:*:*:*:*
- cpe:2.3:a:reviewboard:review_board:1.0:alpha1:*:*:*:*:*:*
- cpe:2.3:a:reviewboard:review_board:1.6.2:*:*:*:*:*:*:*
- cpe:2.3:a:reviewboard:review_board:1.5.2:*:*:*:*:*:*:*
- cpe:2.3:a:reviewboard:review_board:1.5.1:*:*:*:*:*:*:*
- cpe:2.3:a:reviewboard:review_board:1.1:alpha1:*:*:*:*:*:*
- cpe:2.3:a:reviewboard:review_board:1.6:rc2:*:*:*:*:*:*
- cpe:2.3:a:reviewboard:review_board:1.0.5:*:*:*:*:*:*:*
- cpe:2.3:a:reviewboard:review_board:1.0.4:*:*:*:*:*:*:*
- cpe:2.3:a:reviewboard:review_board:1.0:rc2:*:*:*:*:*:*
- cpe:2.3:a:reviewboard:review_board:1.0:rc1:*:*:*:*:*:*
- cpe:2.3:a:reviewboard:review_board:1.6.1:*:*:*:*:*:*:*
- cpe:2.3:a:reviewboard:review_board:1.6:*:*:*:*:*:*:*
- cpe:2.3:a:reviewboard:review_board:1.5:*:*:*:*:*:*:*
- cpe:2.3:a:reviewboard:review_board:1.5:rc2:*:*:*:*:*:*
- cpe:2.3:a:reviewboard:review_board:1.6:rc1:*:*:*:*:*:*
- cpe:2.3:a:reviewboard:review_board:1.6:beta2:*:*:*:*:*:*
- cpe:2.3:a:reviewboard:review_board:1.6:beta1:*:*:*:*:*:*
- cpe:2.3:a:reviewboard:review_board:1.0.3:*:*:*:*:*:*:*
- cpe:2.3:a:reviewboard:review_board:1.0.2:*:*:*:*:*:*:*
- cpe:2.3:a:reviewboard:review_board:1.0:beta2:*:*:*:*:*:*
- cpe:2.3:a:reviewboard:review_board:1.0:beta1:*:*:*:*:*:*