Improper Input Validation
An eval() vulnerability exists in Python Software Foundation Djblets 0.7.21 and Beanbag Review Board before 1.7.15 when parsing JSON requests.
An eval() vulnerability exists in Python Software Foundation Djblets 0.7.21 and Beanbag Review Board before 1.7.15 when parsing JSON requests.
Django's JSON serialization does not handle escaping of any characters to make them safe for injecting into HTML. This allows an attacker who can provide part of a JSON-serializable object to craft a string that can break out of a tag and create its own, injecting a custom script.
The generated gravatar HTML wasn't handling escaping of the display name of the user, allowing an attacker to choose a name that would close out the tag and inject a tag.