OpenStack Security Advisory: 2013-036 CVE: CVE-2013-6858 Date: December 11, 2013 Title: Insufficient sanitization of Instance Name in Horizon Reporter: Cisco PSIRT Products: Horizon Affects: All supported releases Description: Cisco PSIRT reported a vulnerability in the OpenStack Horizon dashboard. By embedding HTML tags in an Instance Name, a tenant may execute a script within an administrator's browser resulting in a cross-site scripting (XSS) attack. Only setups using the Horizon dashboard are affected. Icehouse (development branch) fix: https://review.openstack.org/55175 Havana fix: https://review.openstack.org/58465 Grizzly fix: https://review.openstack.org/58820 Notes: This fix is included in the icehouse-1 development milestone and will appear in a future 2013.2.1 stable point release. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6858 https://launchpad.net/bugs/1247675 -- Jeremy Stanley OpenStack Vulnerability Management Team -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 966 bytes Desc: Digital signature URL: <http://lists.openstack.org/pipermail/openstack-announce/attachments/20131211/84dcd6e4/attachment.pgp>