ReviewBoard (www.reviewboard.org) aims to 'take the pain out of code review'. Integration with source control makes it imperative to maintain proper protections on this server. I have worked with the developers to resolve multiple XSS conditions and harden web server configurations. The XSS conditions are resolved by upgrading to the latest release but the arguably more important fix (configuration change) must be manually applied to existing sites. ReviewBoard admins are advised to upgrade and review your Apache/nginx configurations to avoid access control bypass, code execution, and xss. I have prepared a blog post to explain the issues and provide proof-of-concept/reproduction information: http://www.tripwire.com/state-of-security/vulnerability-management/vulnerabilities-its-time-to-review-your-reviewboard/ Thanks, Craig Young Security Researcher, Tripwire VERT @CraigTweets