==================================================== OSSA-2017-003: XSS in Horizon federation mappings UI ==================================================== :Date: April 04, 2017 :CVE: CVE-2017-7400 Affects ~~~~~~~ - Horizon: >=9.0.0 <=9.1.1, >=10.0.0 <=10.0.2, ==11.0.0 Description ~~~~~~~~~~~ Eric Brown from VMware reported a vulnerability in Horizon. By creating a malicious federation mapping, an adminstrator may conduct a persistent XSS attack. All Horizon setups are affected. Patches ~~~~~~~ - https://review.openstack.org/442455 (Mitaka) - https://review.openstack.org/442454 (Newton) - https://review.openstack.org/442453 (Ocata) - https://review.openstack.org/442277 (Pike) Credits ~~~~~~~ - Eric Brown from VMware (CVE-2017-7400) References ~~~~~~~~~~ - https://launchpad.net/bugs/1667086 - http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7400 -- Tristan Cacqueray OpenStack Vulnerability Management Team -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 473 bytes Desc: OpenPGP digital signature URL: <http://lists.openstack.org/pipermail/openstack-announce/attachments/20170406/f7a11e10/attachment.sig>