| Summary: | <www-apps/horizon-2013.2.3 : XSS in Horizon orchestration dashboard (CVE-2014-0157) (OSSA 2014-010) | ||
|---|---|---|---|
| Product: | Gentoo Security | Reporter: | Agostino Sarubbo <ago> |
| Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
| Status: | RESOLVED FIXED | ||
| Severity: | trivial | ||
| Priority: | Normal | ||
| Version: | unspecified | ||
| Hardware: | All | ||
| OS: | Linux | ||
| URL: | http://www.openwall.com/lists/oss-security/2014/04/08/8 | ||
| Whiteboard: | ~4 [noglsa] | ||
| Package list: | Runtime testing required: | --- | |
you sure? I think it wasn't fixed in tree... I fixed it though, vulnerable versions removed |
From ${URL} : OpenStack Security Advisory: 2014-010 CVE: CVE-2014-0157 Date: April 08, 2014 Title: XSS in Horizon orchestration dashboard Reporter: Cristian Fiorentino (Intel) Products: Horizon Versions: 2013.2 version up to 2013.2.3 Description: Cristian Fiorentino from Intel reported a vulnerability in Horizon Orchestration dashboard. By tricking a Horizon user into using a malicious template in the Orchestration/Stack section of Horizon, a remote attacker may trigger a cross-site-scripting vulnerability. It may result in potential assets theft (Horizon user/admin access credentials, tenants confidential information, etc.). Only setups exposing the orchestration dashboard in Horizon are affected. Juno (development branch) fix: https://review.openstack.org/86059 Icehouse (milestone-proposed branch) fix: https://review.openstack.org/86054 Havana fix: https://review.openstack.org/86056 Notes: This fix will be included in the icehouse-rc2 development milestone and in a future 2013.2.4 release. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0157 https://launchpad.net/bugs/1289033 @maintainer(s): this bug was filed for tracking purpose, no action is required