[Openstack-devel] Bug#730752: horizon: CVE-2013-6406: persistent XSS vulnerability
Henri Salo
henri at nerv.fi
Fri Nov 29 07:34:50 UTC 2013
Package: horizon
Version: 2013.2-1
Severity: normal
Tags: security, fixed-upstream
Chris Chapman of Cisco PSIRT reports:
The OpenStack web user interface (horizon) is vulnerable to XSS:
While launching (or editing) an instance, injecting <script> tags in
the instance name results in the javascript being executed on the
"Volumes" and the "Network Topology" page. This is a classic Stored
XSS vulnerability.
External reference:
https://bugs.launchpad.net/ossa/+bug/1247675
https://review.openstack.org/58465
http://github.com/openstack/horizon/commit/6179f70290783e55b10bbd4b3b7ee74db3f8ef70
---
Henri Salo
-- System Information:
Debian Release: jessie/sid
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)
Kernel: Linux 3.11-2-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) (ignored: LC_ALL set to en_US.UTF-8)
Shell: /bin/sh linked to /bin/dash
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: Digital signature
URL: <http://lists.alioth.debian.org/pipermail/openstack-devel/attachments/20131129/eceb78ef/attachment.sig>
More information about the Openstack-devel
mailing list