Multiple cross-site scripting (XSS) vulnerabilities in Review Board 1.6.x before 1.6.21 and 1.7.x before 1.7.17 allow remote attackers to inject arbitrary web script or HTML via the (1) Branch field or (2) caption of an uploaded file.
https://exchange.xforce.ibmcloud.com/vulnerabilities/88620
http://www.securityfocus.com/bid/63601
http://www.reviewboard.org/docs/releasenotes/reviewboard/1.7.17
http://www.reviewboard.org/docs/releasenotes/reviewboard/1.6.21