Home page logo
/

oss-sec logo oss-sec mailing list archives

[OSSA 2013-036] Insufficient sanitization of Instance Name in Horizon (CVE-2013-6858)
From: Jeremy Stanley <jeremy () openstack org>
Date: Wed, 11 Dec 2013 15:54:13 +0000

OpenStack Security Advisory: 2013-036
CVE: CVE-2013-6858
Date: December 11, 2013
Title: Insufficient sanitization of Instance Name in Horizon
Reporter: Cisco PSIRT
Products: Horizon
Affects: All supported releases

Description:
Cisco PSIRT reported a vulnerability in the OpenStack Horizon
dashboard. By embedding HTML tags in an Instance Name, a tenant may
execute a script within an administrator's browser resulting in a
cross-site scripting (XSS) attack. Only setups using the Horizon
dashboard are affected.

Icehouse (development branch) fix:
https://review.openstack.org/55175

Havana fix:
https://review.openstack.org/58465

Grizzly fix:
https://review.openstack.org/58820

Notes:
This fix is included in the icehouse-1 development milestone and
will appear in a future 2013.2.1 stable point release.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6858
https://launchpad.net/bugs/1247675

-- 
Jeremy Stanley
OpenStack Vulnerability Management Team

Attachment: signature.asc
Description: Digital signature


  By Date           By Thread  

Current thread:
  • [OSSA 2013-036] Insufficient sanitization of Instance Name in Horizon (CVE-2013-6858) Jeremy Stanley (Dec 11)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault