CVE requests for Review Board

[Christian Hammond <christian () beanbaginc com>]

Hi,

We have two security vulnerabilities that were just discovered, which both need CVEs assigned. This is for Review Board 
(https://www.reviewboard.org). Neither are publicly disclosed.

The first was discovered in-house and applies to all Review Board 1.7.x and 2.0.x releases. It allows a user without 
access to a private review request to retrieve the original or patched files associated with that review request 
through the API, if they know all the relevant database IDs.

The second was discovered by “Uchida.” It allows a user to compose a URL to a rendered section of a diff on Review 
Board and inject HTML through a query parameter. That URL could then be handed to another user (most likely embedded in 
an iframe in another page), allowing a custom script to be executed on their behalf. This also applies to both 1.7.x 
and 2.0.x.

Our plan is to get a release out with fixes for these sometime today/tonight.

Thanks,

Christian

-- 
Christian Hammond - christian () beanbaginc com
Review Board - http://www.reviewboard.org
Beanbag, Inc. - http://www.beanbaginc.com