[Openstack-security] [Bug 1308727] Re: [OSSA 2014-023] XSS in Horizon Heat template - resource name (CVE-2014-3473)
Tristan Cacqueray
tristan.cacqueray at enovance.com
Thu Jul 10 10:55:47 UTC 2014
** Changed in: horizon/icehouse
Status: New => Fix Committed
** Changed in: horizon/havana
Status: New => In Progress
--
You received this bug notification because you are a member of OpenStack
Security Group, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1308727
Title:
[OSSA 2014-023] XSS in Horizon Heat template - resource name
(CVE-2014-3473)
Status in OpenStack Dashboard (Horizon):
Fix Committed
Status in OpenStack Dashboard (Horizon) havana series:
In Progress
Status in OpenStack Dashboard (Horizon) icehouse series:
Fix Committed
Status in OpenStack Security Advisories:
Fix Committed
Bug description:
The attached yaml will result in a Cross Site Script when viewing the
resources or events of an Orchestration stack in the following paths:
/project/stacks/stack/{stack_id}/?tab=stack_details__resources
/project/stacks/stack/{stack_id}/?tab=stack_details__events
The A tag's href attribute does not properly URL encode the name of
the resource string resulting in escaping out of the attribute and
arbitrary HTML written to the page.
To manage notifications about this bug go to:
https://bugs.launchpad.net/horizon/+bug/1308727/+subscriptions
More information about the Openstack-security
mailing list