We've decided to drop this issue while testing for the vulnerability and
was unable to recreate the issue. The product team is also not willing
to update the package on the basis that there is no way to exploit the
vulnerability within Horizon.
If we do find an exploit we would be happy to repopen the issue.
** Changed in: python-xstatic-bootstrap-scss (Ubuntu)
Status: New => Won't Fix
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Dashboard (Horizon).
https://bugs.launchpad.net/bugs/1940450
Title:
XSS The data-template attribute of the tooltip and popover plugins
lacks input sanitization and may allow attacker to execute arbitrary
JavaScript.
Status in Ubuntu Cloud Archive:
New
Status in OpenStack Dashboard (Horizon):
Invalid
Status in OpenStack Security Advisory:
Invalid
Status in horizon package in Ubuntu:
New
Status in python-xstatic-bootstrap-scss package in Ubuntu:
Won't Fix
Bug description:
The data-template attribute of the tooltip and popover plugins lacks
input sanitization and may allow attacker to execute arbitrary
JavaScript.
github source: https://github.com/twbs/bootstrap/pull/28236
github upstream MR:
https://github.com/twbs/bootstrap/pull/28236/commits/5efa9b531d25927b907e3fa24b818608bc38a2f0
ubuntu-cve https://ubuntu.com/security/CVE-2019-8331
openstack-dashboard,from xenial UCA, python-django-horizon version
13.0.2-0ubuntu3~cloud0
`pull-uca-source python-django-horizon 3:13.0.2-0ubuntu3~cloud0`
To manage notifications about this bug go to:
https://bugs.launchpad.net/cloud-archive/+bug/1940450/+subscriptions
--
Mailing list: https://launchpad.net/~yahoo-eng-team
Post to : yahoo-eng-team@lists.launchpad.net
Unsubscribe : https://launchpad.net/~yahoo-eng-team
More help : https://help.launchpad.net/ListHelp
