Switched to public as discussed. Thanks for the heads up on this one, David! ** Information type changed from Private Security to Public ** Tags added: security -- You received this bug notification because you are a member of OpenStack Security, which is subscribed to OpenStack. https://bugs.launchpad.net/bugs/1656435 Title: XSS in noVNC Status in OpenStack Dashboard (Horizon): New Status in OpenStack Security Advisory: Invalid Bug description: I recently reported an XSS bug in noVNC, which has since been fixed in 0.6.2: https://github.com/novnc/noVNC/issues/748. Depending on how OpenStack pulls in the noVNC viewer, it might be worth a security note or release. Vulnerability Summary: It's possible to set up a malicious noVNC server, then send someone a URL like http://GOOD_NOVNC/vnc_auto.html?host=BAD_NOVNC. The good noVNC will use a WebSocket to connect to the malicious one, then display a status message that runs JavaScript in the user's browser. To manage notifications about this bug go to: https://bugs.launchpad.net/horizon/+bug/1656435/+subscriptions