CVE-2013-4795 in Board
Summary
by MITRE
Cross-site scripting (XSS) vulnerability in the Submitters list in Review Board 1.6.x before 1.6.18 and 1.7.x before 1.7.12 allows remote attackers to inject arbitrary web script or HTML via a user full name.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 05/10/2026
The CVE-2013-4795 vulnerability represents a critical cross-site scripting flaw discovered in the Review Board code review platform, specifically affecting versions 1.6.x prior to 1.6.18 and 1.7.x prior to 1.7.12. This vulnerability resides within the Submitters list functionality, which is a core component of the code review process where users can view and manage contributors to review requests. The flaw stems from insufficient input validation and output encoding mechanisms that fail to properly sanitize user-provided data before rendering it within web pages. Attackers can exploit this weakness by crafting malicious user full names containing embedded script code that executes in the context of other users' browsers when the Submitters list is displayed.
The technical implementation of this vulnerability aligns with CWE-79, which specifically addresses cross-site scripting vulnerabilities where untrusted data is improperly integrated into web pages without adequate sanitization or encoding. The vulnerability operates by bypassing the application's normal input validation procedures, allowing malicious payloads to be stored in the user database and subsequently executed whenever the affected page is rendered. This particular flaw demonstrates how seemingly benign user profile information can become a vector for sophisticated attacks, as the full name field is typically treated as trusted user input rather than a potential injection point. The attack requires no special privileges or authentication, making it particularly dangerous as it can be exploited by any remote user with access to the Review Board interface.
The operational impact of CVE-2013-4795 extends beyond simple script execution, as it provides attackers with the capability to perform session hijacking, steal sensitive information, redirect users to malicious sites, or even execute arbitrary commands on behalf of authenticated users. Given that Review Board is commonly used in enterprise environments for code review processes, this vulnerability could enable attackers to access proprietary code repositories, manipulate review processes, or exfiltrate confidential information. The vulnerability also aligns with ATT&CK technique T1566, which covers credential harvesting through social engineering and web-based attacks, as attackers could craft malicious full names that would be displayed to other users and potentially capture their credentials or session tokens. The persistent nature of stored XSS vulnerabilities means that the malicious code remains active until the affected application is patched and the compromised data is cleaned.
Organizations utilizing affected Review Board versions should prioritize immediate patching to remediate this vulnerability, as the 1.6.18 and 1.7.12 releases contain the necessary security fixes. The mitigation strategy should include comprehensive input validation for all user-provided data, particularly fields used in user interface rendering, and implementation of proper output encoding mechanisms that ensure any potentially malicious content is treated as data rather than executable code. Security teams should also conduct thorough vulnerability assessments of their code review infrastructure to identify similar patterns that may exist in other input handling components. Additionally, network monitoring should be enhanced to detect anomalous script execution patterns, and user education programs should emphasize the importance of not clicking on suspicious links or content within code review platforms, as this vulnerability demonstrates how legitimate application features can be subverted for malicious purposes. The incident highlights the critical importance of maintaining robust input sanitization practices throughout web applications, particularly in collaborative environments where user-generated content is prevalent.