OpenStack Security Advisory: 2013-036 CVE: CVE-2013-6858 Date: December 11, 2013 Title: Insufficient sanitization of Instance Name in Horizon Reporter: Cisco PSIRT Products: Horizon Affects: All supported releases
Description: Cisco PSIRT reported a vulnerability in the OpenStack Horizon dashboard. By embedding HTML tags in an Instance Name, a tenant may execute a script within an administrator's browser resulting in a cross-site scripting (XSS) attack. Only setups using the Horizon dashboard are affected.
Icehouse (development branch) fix: https://review.openstack.org/55175
Havana fix: https://review.openstack.org/58465
Grizzly fix: https://review.openstack.org/58820
Notes: This fix is included in the icehouse-1 development milestone and will appear in a future 2013.2.1 stable point release.
References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6858 https://launchpad.net/bugs/1247675