Review Board 1.6.21 Release Notes¶
Release date: November 5, 2013
Fixed XSS vulnerabilities for the Branch field and uploaded file captions. (CVE-2013-4519)
It was possible to construct captions for uploaded files and construct a Branch field where the content would be interpreted as HTML.
Thanks to Frederik Braun at Mozilla for reporting this.