Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 507214 (CVE-2014-0157) - <www-apps/horizon-2013.2.3 : XSS in Horizon orchestration dashboard (CVE-2014-0157) (OSSA 2014-010)
Summary: <www-apps/horizon-2013.2.3 : XSS in Horizon orchestration dashboard (CVE-2014...
Alias: CVE-2014-0157
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal trivial (vote)
Assignee: Gentoo Security
Whiteboard: ~4 [noglsa]
Depends on:
Reported: 2014-04-09 08:30 UTC by Agostino Sarubbo
Modified: 2014-04-11 15:24 UTC (History)
0 users

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2014-04-09 08:30:05 UTC
From ${URL} :

OpenStack Security Advisory: 2014-010
CVE: CVE-2014-0157
Date: April 08, 2014
Title: XSS in Horizon orchestration dashboard
Reporter: Cristian Fiorentino (Intel)
Products: Horizon
Versions: 2013.2 version up to 2013.2.3

Cristian Fiorentino from Intel reported a vulnerability in Horizon
Orchestration dashboard. By tricking a Horizon user into using a
malicious template in the Orchestration/Stack section of Horizon, a
remote attacker may trigger a cross-site-scripting vulnerability. It may
result in potential assets theft (Horizon user/admin access credentials,
tenants confidential information, etc.). Only setups exposing the
orchestration dashboard in Horizon are affected.

Juno (development branch) fix:

Icehouse (milestone-proposed branch) fix:

Havana fix:

This fix will be included in the icehouse-rc2 development milestone and
in a future 2013.2.4 release.


@maintainer(s): this bug was filed for tracking purpose, no action is required
Comment 1 Matthew Thode ( prometheanfire ) archtester Gentoo Infrastructure gentoo-dev Security 2014-04-11 15:24:15 UTC
you sure? I think it wasn't fixed in tree...

I fixed it though, vulnerable versions removed