OSSA-2013-036: Insufficient sanitization of Instance Name in Horizon

OSSA-2013-036: Insufficient sanitization of Instance Name in Horizon¶

Date:: December 11, 2013
CVE:: CVE-2013-6858

Affects¶

Horizon: All supported releases

Description¶

Cisco PSIRT reported a vulnerability in the OpenStack Horizon dashboard. By embedding HTML tags in an Instance Name, a tenant may execute a script within an administrator’s browser resulting in a cross-site scripting (XSS) attack. Only setups using the Horizon dashboard are affected.

Patches¶

https://review.openstack.org/#/c/58820 (Grizzly)
https://review.openstack.org/#/c/58465 (Havana)
https://review.openstack.org/#/c/55175 (Icehouse)

Credits¶

Cisco PSIRT from Cisco (CVE-2013-6858)

References¶

this page last updated: 2024-10-03 16:29:15

Creative Commons Attribution 3.0 License

Except where otherwise noted, this document is licensed under Creative Commons Attribution 3.0 License. See all OpenStack Legal Documents.