OpenStack Security Advisory: 2012-004 CVE: 2012-2094 Date: April 17, 2012 Title: XSS vulnerability in Horizon log viewer Impact: High Reporter: Matthias Weckbecker <mweckbecker at suse.de> Products: Horizon Affects: All versions Description: Matthias Weckbecker reported a vulnerability in Horizon. He noted that the log viewer refreshing mechanism does not escape the data fetched from guest consoles. This means that HTML with Javascript code gets interpreted as such, resulting in the ability to inject code into a dashboard session. Fixes: Folsom: https://review.openstack.org/#/c/6618/ 2012.1: https://review.openstack.org/#/c/6621/ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=2012-2094 https://bugs.launchpad.net/horizon/+bug/977944 -- Russell Bryant OpenStack Vulnerability Management Team