[openstack-announce] [OSSA 2013-036] Insufficient sanitization of Instance Name in Horizon (CVE-2013-6858)

Jeremy Stanley jeremy at openstack.org
Wed Dec 11 15:53:47 UTC 2013


OpenStack Security Advisory: 2013-036
CVE: CVE-2013-6858
Date: December 11, 2013
Title: Insufficient sanitization of Instance Name in Horizon
Reporter: Cisco PSIRT
Products: Horizon
Affects: All supported releases

Description:
Cisco PSIRT reported a vulnerability in the OpenStack Horizon
dashboard. By embedding HTML tags in an Instance Name, a tenant may
execute a script within an administrator's browser resulting in a
cross-site scripting (XSS) attack. Only setups using the Horizon
dashboard are affected.

Icehouse (development branch) fix:
https://review.openstack.org/55175

Havana fix:
https://review.openstack.org/58465

Grizzly fix:
https://review.openstack.org/58820

Notes:
This fix is included in the icehouse-1 development milestone and
will appear in a future 2013.2.1 stable point release.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6858
https://launchpad.net/bugs/1247675

-- 
Jeremy Stanley
OpenStack Vulnerability Management Team
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 966 bytes
Desc: Digital signature
URL: <http://lists.openstack.org/pipermail/openstack-announce/attachments/20131211/84dcd6e4/attachment.pgp>


More information about the OpenStack-announce mailing list