Vulnerability Description
A Cross-Site Scripting (XSS) vulnerability exists within Review Board versions 3.0.20 and 4.0 RC1 and earlier. An authenticated attacker may inject malicious Javascript code when using Markdown editing within the application which remains persistent.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Reviewboard | Review Board | 3.0.20 |
Related Weaknesses (CWE)
References
- https://mattschmidt.net/2021/04/14/review-board-xss-discovered/ExploitThird Party Advisory
- https://www.reviewboard.org/docs/releasenotes/reviewboard/3.0.21/Release NotesVendor Advisory
- https://www.reviewboard.org/docs/releasenotes/reviewboard/4.0-rc-2/Release NotesVendor Advisory
- https://www.reviewboard.org/news/2021/04/14/review-board-3-0-21-and-4-0-rc-2-secRelease NotesVendor Advisory
- https://mattschmidt.net/2021/04/14/review-board-xss-discovered/ExploitThird Party Advisory
- https://www.reviewboard.org/docs/releasenotes/reviewboard/3.0.21/Release NotesVendor Advisory
- https://www.reviewboard.org/docs/releasenotes/reviewboard/4.0-rc-2/Release NotesVendor Advisory
- https://www.reviewboard.org/news/2021/04/14/review-board-3-0-21-and-4-0-rc-2-secRelease NotesVendor Advisory
FAQ
What is CVE-2021-31330?
CVE-2021-31330 is a vulnerability with a CVSS score of 5.4 (MEDIUM). A Cross-Site Scripting (XSS) vulnerability exists within Review Board versions 3.0.20 and 4.0 RC1 and earlier. An authenticated attacker may inject malicious Javascript code when using Markdown editin...
How severe is CVE-2021-31330?
CVE-2021-31330 has been rated MEDIUM with a CVSS base score of 5.4/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2021-31330?
Check the references section above for vendor advisories and patch information. Affected products include: Reviewboard Review Board.