62 lines
1.4 KiB
YAML
62 lines
1.4 KiB
YAML
date: 2014-04-08
|
|
|
|
id: OSSA-2014-010
|
|
|
|
title: 'XSS in Horizon orchestration dashboard'
|
|
|
|
description: 'Cristian Fiorentino from Intel reported a vulnerability in Horizon Orchestration
|
|
dashboard. By tricking a Horizon user into using a malicious template in the Orchestration/Stack
|
|
section of Horizon, a remote attacker may trigger a cross-site-scripting vulnerability.
|
|
It may result in potential assets theft (Horizon user/admin access credentials,
|
|
tenants confidential information, etc.). Only setups exposing the orchestration
|
|
dashboard in Horizon are affected. '
|
|
|
|
reference: http://lists.openstack.org/pipermail/openstack-announce/2014-April/000218.html
|
|
|
|
affected-products:
|
|
|
|
- product: horizon
|
|
version: 2013.2 versions up to 2013.2.3
|
|
|
|
vulnerabilities:
|
|
|
|
- cve-id: CVE-2014-0157
|
|
impact-assessment:
|
|
source: 'Red Hat Product Security'
|
|
rating: low
|
|
assessment:
|
|
type: CVSS2
|
|
score: 4.3
|
|
detail: AV:N/AC:M/Au:N/C:N/I:P/A:N
|
|
classification:
|
|
source: 'Red Hat Product Security'
|
|
type: CWE
|
|
detail: TODO
|
|
|
|
reporters:
|
|
|
|
- name: 'Cristian Fiorentino'
|
|
affiliation: Intel
|
|
reported:
|
|
- CVE-2014-0157
|
|
|
|
issues:
|
|
|
|
links:
|
|
- https://launchpad.net/bugs/1289033
|
|
|
|
type: launchpad
|
|
|
|
reviews:
|
|
|
|
juno:
|
|
- https://review.openstack.org/#/c/86059
|
|
|
|
icehouse:
|
|
- https://review.openstack.org/#/c/86054
|
|
|
|
havana:
|
|
- https://review.openstack.org/#/c/86056
|
|
|
|
type: gerrit
|