[PKG-Openstack-devel] Bug#754255: CVE-2014-3473, CVE-2014-3474 and CVE-2014-3475: 3 cross-site scripting problems
Thomas Goirand
zigo at debian.org
Wed Jul 9 08:14:24 UTC 2014
Source: horizon
Version: 2014.1.1-2
Severity: important
Tags: security patch
Message form the pre-OSSA team, before uploading the fixed package. Note that,
despite the announce, 2014.1.1 is really vulnerable.
Thomas Goirand (zigo)
Title: Multiple XSS vulnerabilities in Horizon
Reporter: Jason Hullinger (HP),
Craig Lorentzen (Cisco),
Michael Xin (Rackspace)
Products: Horizon
Versions: up to 2013.2.3, and 2014.1
Description:
Jason Hullinger from Hewlett Packard, Craig Lorentzen from Cisco and
Michael Xin from Rackspace reported 3 cross-site scripting (XSS)
vulnerabilities in Horizon. A malicious Orchestration template owner or
catalog may conduct an XSS attack once a corrupted template is used in
the Orchestration/Stack section of Horizon (CVE-2014-3473). A malicious
Horizon user may store an XSS attack by creating a network with a
corrupted name (CVE-2014-3474). A malicious Horizon administrator may
store an XSS attack by creating a user with a corrupted email address
(CVE-2014-3475). Once executed in a legitimate context these attacks may
result in potential asset stealing (horizon user/admin access
credentials, VMs/Network configuration/management, tenants' confidential
information, etc.). All Horizon setups are affected.
Proposed patch:
See attached patches. Unless a flaw is discovered in them, these patches
will be merged to stable/havana, stable/icehouse and master (Juno
development branch) on the public disclosure date.
Icehouse fix:
https://review.openstack.org/105477
CVE: CVE-2014-3473, CVE-2014-3474 and CVE-2014-3475
More information about the Openstack-devel
mailing list