OpenStack Security Advisory: 2014-023 CVE: CVE-2014-3473, CVE-2014-3474, and CVE-2014-3475 Date: July 08, 2014 Title: Multiple XSS vulnerabilities in Horizon Reporter: Jason Hullinger (HP) - CVE-2014-3473 Craig Lorentzen (Cisco) - CVE-2014-3474 Michael Xin (Rackspace) - CVE-2014-3475 Products: Horizon Versions: up to 2013.2.3, and 2014.1 versions up to 2014.1.1 Description: Jason Hullinger from Hewlett Packard, Craig Lorentzen from Cisco and Michael Xin from Rackspace reported 3 cross-site scripting (XSS) vulnerabilities in Horizon. A malicious Orchestration template owner or catalog may conduct an XSS attack once a corrupted template is used in the Orchestration/Stack section of Horizon. A malicious Horizon user may store an XSS attack by creating a network with a corrupted name. A malicious Horizon administrator may store an XSS attack by creating a user with a corrupted email address. Once executed in a legitimate context these attacks may result in potential asset stealing (horizon user/admin access credentials, VMs/Network configuration/management, tenants' confidential information, etc.). All Horizon setups are affected. Juno (development branch) fix: https://review.openstack.org/105476 Icehouse fix: https://review.openstack.org/105477 Havana fix: https://review.openstack.org/105478 Notes: This fix will be included in the Juno-2 development milestone and in future 2013.2.4 and 2014.1.2 releases. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3473 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3474 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3475 https://launchpad.net/bugs/1308727 https://launchpad.net/bugs/1320235 https://launchpad.net/bugs/1322197 -- Tristan Cacqueray OpenStack Vulnerability Management Team