Package: horizon Version: 2013.2-1 Severity: normal Tags: security, fixed-upstream
Chris Chapman of Cisco PSIRT reports: The OpenStack web user interface (horizon) is vulnerable to XSS: While launching (or editing) an instance, injecting <script> tags in the instance name results in the javascript being executed on the "Volumes" and the "Network Topology" page. This is a classic Stored XSS vulnerability. External reference: https://bugs.launchpad.net/ossa/+bug/1247675 https://review.openstack.org/58465 http://github.com/openstack/horizon/commit/6179f70290783e55b10bbd4b3b7ee74db3f8ef70 --- Henri Salo -- System Information: Debian Release: jessie/sid APT prefers unstable APT policy: (500, 'unstable') Architecture: amd64 (x86_64) Kernel: Linux 3.11-2-amd64 (SMP w/2 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) (ignored: LC_ALL set to en_US.UTF-8) Shell: /bin/sh linked to /bin/dash
signature.asc
Description: Digital signature
