[PKG-Openstack-devel] Bug#786741: horizon: CVE-2015-3988: Persistent XSS in Horizon metadata dashboard
Thomas Goirand
zigo at debian.org
Tue May 26 07:16:11 UTC 2015
On 05/25/2015 07:36 AM, Salvatore Bonaccorso wrote:
> Source: horizon
> Version: 2015.1.0-1
> Severity: important
> Tags: security upstream
>
> Hi,
>
> the following vulnerability was published for horizon.
>
> CVE-2015-3988[0]:
> | Multiple cross-site scripting (XSS) vulnerabilities in OpenStack
> | Dashboard (Horizon) 2015.1.0 allow remote authenticated users to
> | inject arbitrary web script or HTML via the metadata to a (1) Glance
> | image, (2) Nova flavor or (3) Host Aggregate.
>
> If you fix the vulnerability please also make sure to include the
> CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
>
> For further information see:
>
> [0] https://security-tracker.debian.org/tracker/CVE-2015-3988
>
> Please adjust the affected versions in the BTS as needed.
>
> Regards,
> Salvatore
Hi,
FYI, I uploaded 2015.1.0-2 to both Sid and Jessie backports.
I don't believe Jessie is affected (doing a grep within Jessie's code of
Horizon didn't give any result). So once Horizon migrates to Stretch,
the issue can be marked as closed everywhere.
Cheers,
Thomas Goirand (zigo)
More information about the Openstack-devel
mailing list