[Openstack-security] [Bug 1622690] Fix included in openstack/horizon 10.0.0.0rc1

OpenStack Infra 1622690 at bugs.launchpad.net
Mon Sep 26 20:02:23 UTC 2016


This issue was fixed in the openstack/horizon 10.0.0.0rc1 release
candidate.

-- 
You received this bug notification because you are a member of OpenStack
Security, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1622690

Title:
  Potential XSS in image create modal or angular table

Status in OpenStack Dashboard (Horizon):
  Fix Released
Status in OpenStack Security Advisory:
  Won't Fix

Bug description:
  The Image Create modal allows you to create an image sending unencoded
  HTML and JavaScript. This could lead to a potential XSS attack

  Steps to reproduce:

  1. Go to project>images
  2. Click on "Create image"
  3. In the "Image Name" input enter some HTML code or script code (i.e <h1>This is bad</h1>, <script>alert('This is bad');</script>)
  4. Fill in other required fields
  5. Click on 'Create Image'

  Expected Result:
  The image is created but the name is safely encoded and it's shown in the table as it was written

  Actual Result:
  The image name is not encoded an therefore is being rendered as HTML by the browser.

To manage notifications about this bug go to:
https://bugs.launchpad.net/horizon/+bug/1622690/+subscriptions




More information about the Openstack-security mailing list