47 lines
1.6 KiB
JSON
47 lines
1.6 KiB
JSON
{
|
|
"advisory": {
|
|
"date": "2014-08-19",
|
|
"description": "Dennis Felsch and Mario Heiderich from the Horst Görtz Institute for IT-Security, Ruhr-University Bochum reported a persistent XSS in Horizon. A malicious administrator may conduct a persistent XSS attack by registering a malicious host aggregate in Horizon Host Aggregate interface. Once executed in a legitimate context this attack may reveal another admin token, potentially resulting in a lateral privilege escalation. All Horizon setups are affected.",
|
|
"id": "2014-027",
|
|
"title": "Persistent XSS in Horizon Host Aggregates interface",
|
|
"url": "http://lists.openstack.org/pipermail/openstack-announce/2014-August/000266.html"
|
|
},
|
|
"affects": [
|
|
{
|
|
"product": "horizon",
|
|
"version": "up to 2013.2.3, and 2014.1 versions up to 2014.1.2"
|
|
}
|
|
],
|
|
"bugs": [
|
|
"1349491"
|
|
],
|
|
"notes": "This fix will be included in the Juno-3 development milestone and in future 2013.2.4 and 2014.1.3 releases.",
|
|
"reporters": [
|
|
{
|
|
"company": "Ruhr-University Bochum",
|
|
"name": "Dennis Felsch"
|
|
},
|
|
{
|
|
"company": "Ruhr-University Bochum",
|
|
"name": "Mario Heiderich"
|
|
}
|
|
],
|
|
"reviews": [
|
|
"115310",
|
|
"115311",
|
|
"115313"
|
|
],
|
|
"schema_version": 1,
|
|
"vulnerabilities": [
|
|
{
|
|
"cve": "CVE-2014-3594",
|
|
"cvss": {
|
|
"base_score": "4.3",
|
|
"scoring_vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"
|
|
},
|
|
"cwe": "CWE-79",
|
|
"impact": "moderate"
|
|
}
|
|
]
|
|
}
|