oss-sec mailing list archives
[OSSA 2013-036] Insufficient sanitization of Instance Name in Horizon (CVE-2013-6858)
From: Jeremy Stanley <jeremy () openstack org>
Date: Wed, 11 Dec 2013 15:54:13 +0000
OpenStack Security Advisory: 2013-036 CVE: CVE-2013-6858 Date: December 11, 2013 Title: Insufficient sanitization of Instance Name in Horizon Reporter: Cisco PSIRT Products: Horizon Affects: All supported releases Description: Cisco PSIRT reported a vulnerability in the OpenStack Horizon dashboard. By embedding HTML tags in an Instance Name, a tenant may execute a script within an administrator's browser resulting in a cross-site scripting (XSS) attack. Only setups using the Horizon dashboard are affected. Icehouse (development branch) fix: https://review.openstack.org/55175 Havana fix: https://review.openstack.org/58465 Grizzly fix: https://review.openstack.org/58820 Notes: This fix is included in the icehouse-1 development milestone and will appear in a future 2013.2.1 stable point release. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6858 https://launchpad.net/bugs/1247675 -- Jeremy Stanley OpenStack Vulnerability Management Team
Attachment:
signature.asc
Description: Digital signature
Current thread:
- [OSSA 2013-036] Insufficient sanitization of Instance Name in Horizon (CVE-2013-6858) Jeremy Stanley (Dec 11)