Multiple cross-site scripting (XSS) issues were found in askbot (Question and Answer forum web application written in python and django) affecting various search forms (question, tag, and user searches). These issue were corrected in upstream version 0.7.49. Relevant upstream changes (two of the forms were fixed as part of the larger commit with unrelated changes): https://github.com/ASKBOT/askbot-devel/commit/876e3662ff6b78cc6241338c15e3a0cb49edf4e2#diff-6868da9ad7c82c149086e59fac3af76b https://github.com/ASKBOT/askbot-devel/commit/876e3662ff6b78cc6241338c15e3a0cb49edf4e2#diff-b693b4c02739be4b3231bece15b0eb87 https://github.com/ASKBOT/askbot-devel/commit/a676a86b6b7a5737d4da4f59f71e037406f88d29
The question search XSS was reported by Kamil Sevi (@kamilsevi) for askbot running on https://ask.fedoraproject.org/ . Additional issues were noticed when investigating the report. All issue were fixed upstream in a released 0.7.49 at the time of the report.
Created askbot tracking bugs for this issue: Affects: fedora-all [bug 1070858]
CVE-2014-2235 was assigned to the question search XSS, CVE-2014-2236 to the tag and user search XSS. http://www.openwall.com/lists/oss-security/2014/02/28/8