CVE-2014-3994

medium

Published 2014-06-16 · Modified 2023-11-08

CVSS v3

—

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CVSS v2

4.3

VIR risk

4.3

Description

Cross-site scripting (XSS) vulnerability in util/templatetags/djblets_js.py in Djblets before 0.7.30 and 0.8.x before 0.8.3 for Django, as used in Review Board, allows remote attackers to inject arbitrary web script or HTML via a JSON object, as demonstrated by the name field when changing a user name.

Predictions

Exploit likelihood

30%

Patch ETA

—

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

vendor Authored 2026-05-27

Vendor advisory: cve@mitre.org — https://github.com/djblets/djblets/commit/e2c79117efd925636acd871a5f473512602243cf

vendor Authored 2026-05-27

Vendor advisory: cve@mitre.org — https://github.com/djblets/djblets/commit/77a68c03cd619a0996f3f37337b8c39ca6643d6e

vendor Authored 2026-05-27

Vendor advisory: cve@mitre.org — https://github.com/djblets/djblets/commit/50000d0bbb983fa8c097b588d06b64df8df483bd

Package impact

Ecosystem	Package	Vulnerable	Fixed
PyPI	djblets	`<0.7.30`	`0.7.30`
PyPI	djblets	`>=0.8,<0.8.3`	`0.8.3`
PyPI	djblets	`<e2c79117efd925636acd871a5f473512602243cf\|\|>=0.8,<0.8.3`	`50000d0bbb983fa8c097b588d06b64df8df483bd`

Application impact

Vendor	Product	Versions
reviewboard	djblets	`{"endIncluding":"0.7.29"}`
reviewboard	djblets	`0.7.27`
reviewboard	djblets	`0.7.28`
reviewboard	djblets	`0.8.1`
reviewboard	djblets	`0.8.2`
reviewboard	reviewboard	`-`

References

CWEs

CWE-79

Verify integrity in audit chain (admin only). AS-IS.