Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 507214 (CVE-2014-0157)

Summary: <www-apps/horizon-2013.2.3 : XSS in Horizon orchestration dashboard (CVE-2014-0157) (OSSA 2014-010)
Product: Gentoo Security Reporter: Agostino Sarubbo <ago>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Severity: trivial    
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: ~4 [noglsa]
Package list:
Runtime testing required: ---

Description Agostino Sarubbo gentoo-dev 2014-04-09 08:30:05 UTC
From ${URL} :

OpenStack Security Advisory: 2014-010
CVE: CVE-2014-0157
Date: April 08, 2014
Title: XSS in Horizon orchestration dashboard
Reporter: Cristian Fiorentino (Intel)
Products: Horizon
Versions: 2013.2 version up to 2013.2.3

Cristian Fiorentino from Intel reported a vulnerability in Horizon
Orchestration dashboard. By tricking a Horizon user into using a
malicious template in the Orchestration/Stack section of Horizon, a
remote attacker may trigger a cross-site-scripting vulnerability. It may
result in potential assets theft (Horizon user/admin access credentials,
tenants confidential information, etc.). Only setups exposing the
orchestration dashboard in Horizon are affected.

Juno (development branch) fix:

Icehouse (milestone-proposed branch) fix:

Havana fix:

This fix will be included in the icehouse-rc2 development milestone and
in a future 2013.2.4 release.


@maintainer(s): this bug was filed for tracking purpose, no action is required
Comment 1 Matthew Thode ( prometheanfire ) archtester Gentoo Infrastructure gentoo-dev Security 2014-04-11 15:24:15 UTC
you sure? I think it wasn't fixed in tree...

I fixed it though, vulnerable versions removed