A persistent / stored cross-site scripting (XSS) flaw was found in the way reviews dropdown of Review Board, a web-based code review tool, performed sanitization of certain user information (full name). A remote attacker could provide a specially-crafted URL that, when visited would lead to arbitrary HTML or web script execution in the context of Review Board user's session. References: [1] http://www.reviewboard.org/docs/releasenotes/reviewboard/1.7.10/ [2] http://www.reviewboard.org/docs/releasenotes/reviewboard/1.6.17/ [3] http://www.reviewboard.org/news/2013/06/22/review-board-1617-and-1710-released/ [4] https://bugzilla.redhat.com/show_bug.cgi?id=977423 Upstream patch: [5] https://github.com/reviewboard/reviewboard/commit/4aaacbb1e628a80803ba1a55703db38fccdf7dbf Upstream acknowledges Craig Young at Tripwire as the original issue reporter. Thank you && Regards, Jan. -- Jan iankko Lieskovsky / Red Hat Security Response Team