Thanks for checking. Since we didn't treat bug 1842749 as a vulnerability, and the risks for this are the same or a subset of that report, we should proceed in a similar fashion with this report as well. I'll switch it to public now.
** Description changed: - This issue is being treated as a potential security risk under - embargo. Please do not make any public mention of embargoed - (private) security vulnerabilities before their coordinated - publication by the OpenStack Vulnerability Management Team in the - form of an official OpenStack Security Advisory. This includes - discussion of the bug or associated fixes in public forums such as - mailing lists, code review systems and bug trackers. Please also - avoid private disclosure to other individuals not already approved - for access to this information, and provide this same reminder to - those who are made aware of the issue prior to publication. All - discussion should remain confined to this private bug report, and - any proposed fixes should be added to the bug as attachments. This - embargo shall not extend past 2024-04-03 and will be made - public by or on that date even if no fix is identified. - Members of the VMT received the following report by E-mail: 1 admin add a user. 2 the user logins and create a compute instance 3 the user change the instance name as "=1+cmd|'/C calc'!A0" 4 admin go to download csv summary 5 admin open the csv and we can see that the calculator is opened. see https://owasp.org/www-community/attacks/CSV_Injection to fix it ** Information type changed from Private Security to Public ** Tags added: security ** Changed in: ossa Status: Incomplete => Won't Fix -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to OpenStack Dashboard (Horizon). https://bugs.launchpad.net/bugs/2048106 Title: CSV Injection while download csv summary Status in OpenStack Dashboard (Horizon): Confirmed Status in OpenStack Security Advisory: Won't Fix Bug description: Members of the VMT received the following report by E-mail: 1 admin add a user. 2 the user logins and create a compute instance 3 the user change the instance name as "=1+cmd|'/C calc'!A0" 4 admin go to download csv summary 5 admin open the csv and we can see that the calculator is opened. see https://owasp.org/www-community/attacks/CSV_Injection to fix it To manage notifications about this bug go to: https://bugs.launchpad.net/horizon/+bug/2048106/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp
