Multiple cross-site scripting (XSS) issues were found in askbot (Question and Answer forum web application written in python and django) affecting various search forms (question, tag, and user searches). These issue were corrected in upstream version 0.7.49.
Relevant upstream changes (two of the forms were fixed as part of the larger commit with unrelated changes):
The question search XSS was reported by Kamil Sevi (@kamilsevi) for askbot running on https://ask.fedoraproject.org/ . Additional issues were noticed when investigating the report. All issue were fixed upstream in a released 0.7.49 at the time of the report.
Created askbot tracking bugs for this issue:
Affects: fedora-all [bug 1070858]
CVE-2014-2235 was assigned to the question search XSS, CVE-2014-2236 to the tag and user search XSS.