CVE-2014-3995 - Vulnerability Details - OpenCVE

Cross-site scripting (XSS) vulnerability in gravatars/templatetags/gravatars.py in Djblets before 0.7.30 and 0.8.x before 0.8.3 for Django allows remote attackers to inject arbitrary web script or HTML via a user display name.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

This CVE is not in the KEV list.

The EPSS score is 0.00407.

Key SSVC decision points have not yet been added.

Vendors	Products
Reviewboard	Djblets

Configuration 1 [-]

OR	cpe:2.3:a:reviewboard:djblets::::::::
	cpe:2.3:a:reviewboard:djblets:0.7.27:::::::*
	cpe:2.3:a:reviewboard:djblets:0.7.28:::::::*
	cpe:2.3:a:reviewboard:djblets:0.8.1:::::::*
	cpe:2.3:a:reviewboard:djblets:0.8.2:::::::*

No data.

No data.

Advisories

Source	ID	Title
EUVD	EUVD-2014-0017	Cross-site scripting (XSS) vulnerability in gravatars/templatetags/gravatars.py in Djblets before 0.7.30 and 0.8.x before 0.8.3 for Django allows remote attackers to inject arbitrary web script or HTML via a user display name.
Github GHSA	GHSA-4xf6-xr96-7vmp	Djblets Cross-site scripting Vulnerability

Fixes

Solution

No solution given by the vendor.

Workaround

No workaround given by the vendor.

References

Link	Providers
http://seclists.org/oss-sec/2014/q2/494
http://seclists.org/oss-sec/2014/q2/498
http://secunia.com/advisories/58691
https://github.com/djblets/djblets/commit/50000d0bbb983fa8c097b588d06b64df8df483bd
https://github.com/djblets/djblets/commit/77ac64642ad530bf69e390c51fc6fdcb8914c8e7
https://github.com/djblets/djblets/commit/e2c79117efd925636acd871a5f473512602243cf

History

No history.

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2014-06-16T18:00:00

Updated: 2024-08-06T11:04:26.958Z

Reserved: 2014-06-06T00:00:00

Link: CVE-2014-3995

Vulnrichment

No data.

NVD

Status : Deferred

Published: 2014-06-16T18:55:09.497

Modified: 2025-04-12T10:46:40.837

Link: CVE-2014-3995

Redhat

No data.

OpenCVE Enrichment

No data.

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2014-06-06T00:00:00", "descriptions": [{"lang": "en", "value": "Cross-site scripting (XSS) vulnerability in gravatars/templatetags/gravatars.py in Djblets before 0.7.30 and 0.8.x before 0.8.3 for Django allows remote attackers to inject arbitrary web script or HTML via a user display name."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2014-06-16T17:57:01", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"name": "[oss-security] 20140606 Requesting CVEs issued for two XSS vulnerabilities in Djblets (a set of Django helpers)", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "http://seclists.org/oss-sec/2014/q2/494"}, {"name": "[oss-security] 20140606 Re: Requesting CVEs issued for two XSS vulnerabilities in Djblets (a set of Django helpers)", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "http://seclists.org/oss-sec/2014/q2/498"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/djblets/djblets/commit/77ac64642ad530bf69e390c51fc6fdcb8914c8e7"}, {"name": "58691", "tags": ["third-party-advisory", "x_refsource_SECUNIA"], "url": "http://secunia.com/advisories/58691"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/djblets/djblets/commit/e2c79117efd925636acd871a5f473512602243cf"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/djblets/djblets/commit/50000d0bbb983fa8c097b588d06b64df8df483bd"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2014-3995", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Cross-site scripting (XSS) vulnerability in gravatars/templatetags/gravatars.py in Djblets before 0.7.30 and 0.8.x before 0.8.3 for Django allows remote attackers to inject arbitrary web script or HTML via a user display name."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "[oss-security] 20140606 Requesting CVEs issued for two XSS vulnerabilities in Djblets (a set of Django helpers)", "refsource": "MLIST", "url": "http://seclists.org/oss-sec/2014/q2/494"}, {"name": "[oss-security] 20140606 Re: Requesting CVEs issued for two XSS vulnerabilities in Djblets (a set of Django helpers)", "refsource": "MLIST", "url": "http://seclists.org/oss-sec/2014/q2/498"}, {"name": "https://github.com/djblets/djblets/commit/77ac64642ad530bf69e390c51fc6fdcb8914c8e7", "refsource": "CONFIRM", "url": "https://github.com/djblets/djblets/commit/77ac64642ad530bf69e390c51fc6fdcb8914c8e7"}, {"name": "58691", "refsource": "SECUNIA", "url": "http://secunia.com/advisories/58691"}, {"name": "https://github.com/djblets/djblets/commit/e2c79117efd925636acd871a5f473512602243cf", "refsource": "CONFIRM", "url": "https://github.com/djblets/djblets/commit/e2c79117efd925636acd871a5f473512602243cf"}, {"name": "https://github.com/djblets/djblets/commit/50000d0bbb983fa8c097b588d06b64df8df483bd", "refsource": "CONFIRM", "url": "https://github.com/djblets/djblets/commit/50000d0bbb983fa8c097b588d06b64df8df483bd"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-06T11:04:26.958Z"}, "title": "CVE Program Container", "references": [{"name": "[oss-security] 20140606 Requesting CVEs issued for two XSS vulnerabilities in Djblets (a set of Django helpers)", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "http://seclists.org/oss-sec/2014/q2/494"}, {"name": "[oss-security] 20140606 Re: Requesting CVEs issued for two XSS vulnerabilities in Djblets (a set of Django helpers)", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "http://seclists.org/oss-sec/2014/q2/498"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/djblets/djblets/commit/77ac64642ad530bf69e390c51fc6fdcb8914c8e7"}, {"name": "58691", "tags": ["third-party-advisory", "x_refsource_SECUNIA", "x_transferred"], "url": "http://secunia.com/advisories/58691"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/djblets/djblets/commit/e2c79117efd925636acd871a5f473512602243cf"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/djblets/djblets/commit/50000d0bbb983fa8c097b588d06b64df8df483bd"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2014-3995", "datePublished": "2014-06-16T18:00:00", "dateReserved": "2014-06-06T00:00:00", "dateUpdated": "2024-08-06T11:04:26.958Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:reviewboard:djblets:*:*:*:*:*:*:*:*", "matchCriteriaId": "686B0A9E-DC65-4162-9A17-6BC638220C4C", "versionEndIncluding": "0.7.29", "vulnerable": true}, {"criteria": "cpe:2.3:a:reviewboard:djblets:0.7.27:*:*:*:*:*:*:*", "matchCriteriaId": "96E63A81-C146-4FF8-B42F-5FF3D337DFBD", "vulnerable": true}, {"criteria": "cpe:2.3:a:reviewboard:djblets:0.7.28:*:*:*:*:*:*:*", "matchCriteriaId": "692BC2AF-0253-4907-AC90-A2ACC0A1CA8F", "vulnerable": true}, {"criteria": "cpe:2.3:a:reviewboard:djblets:0.8.1:*:*:*:*:*:*:*", "matchCriteriaId": "E578875D-92CD-4D36-8F28-CA1928495770", "vulnerable": true}, {"criteria": "cpe:2.3:a:reviewboard:djblets:0.8.2:*:*:*:*:*:*:*", "matchCriteriaId": "A4477F46-9341-4DD0-B809-361AEBC3A7C2", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Cross-site scripting (XSS) vulnerability in gravatars/templatetags/gravatars.py in Djblets before 0.7.30 and 0.8.x before 0.8.3 for Django allows remote attackers to inject arbitrary web script or HTML via a user display name."}, {"lang": "es", "value": "Vulnerabilidad de XSS en gravatars/templatetags/gravatars.py en Djblets anterior a 0.7.30 y 0.8.x anterior a 0.8.3 para Django permite a atacantes remotos inyectar secuencias de comandos web o HTML arbitrarios a trav\u00e9s de un nombre de pantalla de usuario."}], "id": "CVE-2014-3995", "lastModified": "2025-04-12T10:46:40.837", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 4.3, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}]}, "published": "2014-06-16T18:55:09.497", "references": [{"source": "cve@mitre.org", "url": "http://seclists.org/oss-sec/2014/q2/494"}, {"source": "cve@mitre.org", "url": "http://seclists.org/oss-sec/2014/q2/498"}, {"source": "cve@mitre.org", "url": "http://secunia.com/advisories/58691"}, {"source": "cve@mitre.org", "tags": ["Patch"], "url": "https://github.com/djblets/djblets/commit/50000d0bbb983fa8c097b588d06b64df8df483bd"}, {"source": "cve@mitre.org", "tags": ["Exploit", "Patch"], "url": "https://github.com/djblets/djblets/commit/77ac64642ad530bf69e390c51fc6fdcb8914c8e7"}, {"source": "cve@mitre.org", "tags": ["Patch"], "url": "https://github.com/djblets/djblets/commit/e2c79117efd925636acd871a5f473512602243cf"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://seclists.org/oss-sec/2014/q2/494"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://seclists.org/oss-sec/2014/q2/498"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://secunia.com/advisories/58691"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "https://github.com/djblets/djblets/commit/50000d0bbb983fa8c097b588d06b64df8df483bd"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Patch"], "url": "https://github.com/djblets/djblets/commit/77ac64642ad530bf69e390c51fc6fdcb8914c8e7"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "https://github.com/djblets/djblets/commit/e2c79117efd925636acd871a5f473512602243cf"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "nvd@nist.gov", "type": "Primary"}]}