[openstack-announce] [OSSA 2014-010] XSS in Horizon orchestration dashboard (CVE-2014-0157)

Tristan Cacqueray tristan.cacqueray at enovance.com
Tue Apr 8 16:28:39 UTC 2014


OpenStack Security Advisory: 2014-010
CVE: CVE-2014-0157
Date: April 08, 2014
Title: XSS in Horizon orchestration dashboard
Reporter: Cristian Fiorentino (Intel)
Products: Horizon
Versions: 2013.2 version up to 2013.2.3

Description:
Cristian Fiorentino from Intel reported a vulnerability in Horizon
Orchestration dashboard. By tricking a Horizon user into using a
malicious template in the Orchestration/Stack section of Horizon, a
remote attacker may trigger a cross-site-scripting vulnerability. It may
result in potential assets theft (Horizon user/admin access credentials,
tenants confidential information, etc.). Only setups exposing the
orchestration dashboard in Horizon are affected.

Juno (development branch) fix:
https://review.openstack.org/86059

Icehouse (milestone-proposed branch) fix:
https://review.openstack.org/86054

Havana fix:
https://review.openstack.org/86056

Notes:
This fix will be included in the icehouse-rc2 development milestone and
in a future 2013.2.4 release.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0157
https://launchpad.net/bugs/1289033

-- 
Tristan Cacqueray
OpenStack Vulnerability Management Team



-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 555 bytes
Desc: OpenPGP digital signature
URL: <http://lists.openstack.org/pipermail/openstack-announce/attachments/20140408/beecf705/attachment.pgp>


More information about the OpenStack-announce mailing list