OpenStack Security Advisory: 2013-036 CVE: CVE-2013-6858 Date: December 11, 2013 Title: Insufficient sanitization of Instance Name in Horizon Reporter: Cisco PSIRT Products: Horizon Affects: All supported releases
Description: Cisco PSIRT reported a vulnerability in the OpenStack Horizon dashboard. By embedding HTML tags in an Instance Name, a tenant may execute a script within an administrator's browser resulting in a cross-site scripting (XSS) attack. Only setups using the Horizon dashboard are affected. Icehouse (development branch) fix: https://review.openstack.org/55175 Havana fix: https://review.openstack.org/58465 Grizzly fix: https://review.openstack.org/58820 Notes: This fix is included in the icehouse-1 development milestone and will appear in a future 2013.2.1 stable point release. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6858 https://launchpad.net/bugs/1247675 -- Jeremy Stanley OpenStack Vulnerability Management Team
signature.asc
Description: Digital signature
_______________________________________________ Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack Post to : openstack@lists.openstack.org Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
