[Openstack-security] [Bug 1622690] Fix included in openstack/horizon 10.0.0.0rc1
OpenStack Infra
1622690 at bugs.launchpad.net
Tue Oct 18 16:50:32 UTC 2016
This issue was fixed in the openstack/horizon 10.0.0.0rc1 release
candidate.
--
You received this bug notification because you are a member of OpenStack
Security, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1622690
Title:
Potential XSS in image create modal or angular table
Status in OpenStack Dashboard (Horizon):
Fix Released
Status in OpenStack Security Advisory:
Won't Fix
Bug description:
The Image Create modal allows you to create an image sending unencoded
HTML and JavaScript. This could lead to a potential XSS attack
Steps to reproduce:
1. Go to project>images
2. Click on "Create image"
3. In the "Image Name" input enter some HTML code or script code (i.e <h1>This is bad</h1>, <script>alert('This is bad');</script>)
4. Fill in other required fields
5. Click on 'Create Image'
Expected Result:
The image is created but the name is safely encoded and it's shown in the table as it was written
Actual Result:
The image name is not encoded an therefore is being rendered as HTML by the browser.
To manage notifications about this bug go to:
https://bugs.launchpad.net/horizon/+bug/1622690/+subscriptions
More information about the Openstack-security
mailing list