Moderate severityNVD Advisory· Published Jun 16, 2014· Updated May 6, 2026

CVE-2014-3994

Description

Cross-site scripting (XSS) vulnerability in util/templatetags/djblets_js.py in Djblets before 0.7.30 and 0.8.x before 0.8.3 for Django, as used in Review Board, allows remote attackers to inject arbitrary web script or HTML via a JSON object, as demonstrated by the name field when changing a user name.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
DjbletsPyPI	< 0.7.30	0.7.30
DjbletsPyPI	>= 0.8, < 0.8.3	0.8.3

Affected products

Reviewboard/Djblets5 versions
cpe:2.3:a:reviewboard:djblets:*:*:*:*:*:*:*:*+ 4 more
- cpe:2.3:a:reviewboard:djblets:*:*:*:*:*:*:*:*range: <=0.7.29
- cpe:2.3:a:reviewboard:djblets:0.7.27:*:*:*:*:*:*:*
- cpe:2.3:a:reviewboard:djblets:0.7.28:*:*:*:*:*:*:*
- cpe:2.3:a:reviewboard:djblets:0.8.1:*:*:*:*:*:*:*
- cpe:2.3:a:reviewboard:djblets:0.8.2:*:*:*:*:*:*:*
Reviewboard/Reviewboard
cpe:2.3:a:reviewboard:reviewboard:-:*:*:*:*:*:*:*

Patches

e2c79117efd9

Update the 0.8.3 release notes with the CVEs.

https://github.com/djblets/djbletsChristian HammondJun 8, 2014via ghsa

commit

1 file changed · +4 −0

NEWS+4 −0 modified

@@ -5,13 +5,17 @@ version 0.8.3 (6-June-2014):
 		  Users could construct a name that would allow for injecting
 		  JavaScript in the page. That name is now properly escaped.
 
+		  This is CVE-2014-3995.
+
 		* Fixed a XSS issue in json_dumps.
 
 		  JSON payloads constructed based on user input and then injected into
 		  a page could result in custom JavaScript being injected into the
 		  page. Additional escaping is now performed to ensure this does not
 		  happen.
 
+		  This is CVE-2014-3994 (discovered by "uchida", bug #3406).
+
 
 version 0.8.2 (2-June-2014):
 	* Packaging:

50000d0bbb98

Update the 0.7.30 release notes with the CVEs.

https://github.com/djblets/djbletsChristian HammondJun 8, 2014via ghsa

commit

1 file changed · +4 −0

NEWS+4 −0 modified

@@ -5,13 +5,17 @@ version 0.7.30 final (6-June-2014):
 		  Users could construct a name that would allow for injecting
 		  JavaScript in the page. That name is now properly escaped.
 
+		  This is CVE-2014-3995.
+
 		* Fixed a XSS issue in json_dumps.
 
 		  JSON payloads constructed based on user input and then injected into
 		  a page could result in custom JavaScript being injected into the
 		  page. Additional escaping is now performed to ensure this does not
 		  happen.
 
+		  This is CVE-2014-3994 (discovered by "uchida", bug #3406).
+
 
 version 0.7.29 final (9-April-2014):
 	* djblets.webapi:

77a68c03cd61

Fix a XSS vulnerability with bad input to json_dumps.

https://github.com/djblets/djbletsChristian HammondJun 6, 2014via ghsa

commit

2 files changed · +27 −1

djblets/util/templatetags/djblets_js.py+8 −1 modified

@@ -31,13 +31,20 @@
 from django.core.serializers import serialize
 from django.db.models.query import QuerySet
 from django.utils import six
+from django.utils.encoding import force_text
 from django.utils.safestring import mark_safe
 
 from djblets.util.serializers import DjbletsJSONEncoder
 
 
 register = template.Library()
 
+_safe_js_escapes = {
+    ord('&'): '\\u0026',
+    ord('<'): '\\u003C',
+    ord('>'): '\\u003E',
+}
+
 
 @register.simple_tag
 def form_dialog_fields(form):
@@ -75,7 +82,7 @@ def json_dumps(value, indent=None):
     else:
         result = json.dumps(value, indent=indent, cls=DjbletsJSONEncoder)
 
-    return mark_safe(result)
+    return mark_safe(force_text(result).translate(_safe_js_escapes))
 
 
 @register.filter

djblets/util/templatetags/tests.py+19 −0 added

@@ -0,0 +1,19 @@
+from __future__ import unicode_literals
+
+from djblets.testing.testcases import TestCase
+from djblets.util.templatetags.djblets_js import json_dumps
+
+
+class JSTagTests(TestCase):
+    """Unit tests for djblets_js template tags."""
+    def test_json_dumps_xss(self):
+        """Testing json_dumps doesn't allow XSS injection"""
+        # This is bug 3406.
+        obj = {
+            'xss': '</script><script>alert(1);</script>'
+        }
+
+        self.assertEqual(
+            json_dumps(obj),
+            '{"xss": "\\u003C/script\\u003E\\u003Cscript\\u003E'
+            'alert(1);\\u003C/script\\u003E"}')

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/djblets/djblets/commit/50000d0bbb983fa8c097b588d06b64df8df483bdnvdIssue TrackingPatchWEB
github.com/djblets/djblets/commit/e2c79117efd925636acd871a5f473512602243cfnvdIssue TrackingPatchWEB
github.com/djblets/djblets/commit/77a68c03cd619a0996f3f37337b8c39ca6643d6envdExploitIssue TrackingPatchWEB
seclists.org/oss-sec/2014/q2/494nvdThird Party AdvisoryVDB Entry
seclists.org/oss-sec/2014/q2/498nvdThird Party AdvisoryVDB Entry
secunia.com/advisories/58691nvdPermissions RequiredThird Party Advisory
www.securityfocus.com/bid/67932nvdThird Party AdvisoryVDB Entry
github.com/advisories/GHSA-w7rq-8f2g-jvqrghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2014-3994ghsaADVISORY
code.google.com/p/reviewboard/issues/detailnvdNot ApplicableWEB
github.com/pypa/advisory-database/tree/main/vulns/djblets/PYSEC-2014-78.yamlghsaWEB
web.archive.org/web/20140702014704/http://seclists.org/oss-sec/2014/q2/498ghsaWEB
web.archive.org/web/20140702025724/http://seclists.org/oss-sec/2014/q2/494ghsaWEB
web.archive.org/web/20200228144945/http://www.securityfocus.com/bid/67932ghsaWEB

News mentions

No linked articles in our index yet.

cvss	0.260
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000