CVE-2014-3995

medium

Published 2022-05-17 · Modified 2023-11-08

CVSS v3

—

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CVSS v2

4.3

VIR risk

4.3

Description

Cross-site scripting (XSS) vulnerability in gravatars/templatetags/gravatars.py in Djblets before 0.7.30 and 0.8.x before 0.8.3 for Django allows remote attackers to inject arbitrary web script or HTML via a user display name.

Predictions

Exploit likelihood

30%

Patch ETA

—

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

vendor Authored 2026-05-27

Vendor advisory: cve@mitre.org — https://github.com/djblets/djblets/commit/e2c79117efd925636acd871a5f473512602243cf

vendor Authored 2026-05-27

Vendor advisory: cve@mitre.org — https://github.com/djblets/djblets/commit/77ac64642ad530bf69e390c51fc6fdcb8914c8e7

vendor Authored 2026-05-27

Vendor advisory: cve@mitre.org — https://github.com/djblets/djblets/commit/50000d0bbb983fa8c097b588d06b64df8df483bd

Package impact

Ecosystem	Package	Vulnerable	Fixed
PyPI	djblets	`<0.7.30`	`0.7.30`
PyPI	djblets	`>=0.8,<0.8.3`	`0.8.3`
PyPI	djblets	`<e2c79117efd925636acd871a5f473512602243cf\|\|>=0.8,<0.8.3`	`50000d0bbb983fa8c097b588d06b64df8df483bd`

Application impact

Vendor	Product	Versions
reviewboard	djblets	`{"endIncluding":"0.7.29"}`
reviewboard	djblets	`0.7.27`
reviewboard	djblets	`0.7.28`
reviewboard	djblets	`0.8.1`
reviewboard	djblets	`0.8.2`

References

CWEs

CWE-79

Verify integrity in audit chain (admin only). AS-IS.