Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [day] [month] [year] [list]
Date: Tue, 08 Apr 2014 18:28:43 +0200
From: Tristan Cacqueray <>
Subject: [OSSA 2014-010] XSS in Horizon orchestration dashboard (CVE-2014-0157)

OpenStack Security Advisory: 2014-010
CVE: CVE-2014-0157
Date: April 08, 2014
Title: XSS in Horizon orchestration dashboard
Reporter: Cristian Fiorentino (Intel)
Products: Horizon
Versions: 2013.2 version up to 2013.2.3

Cristian Fiorentino from Intel reported a vulnerability in Horizon
Orchestration dashboard. By tricking a Horizon user into using a
malicious template in the Orchestration/Stack section of Horizon, a
remote attacker may trigger a cross-site-scripting vulnerability. It may
result in potential assets theft (Horizon user/admin access credentials,
tenants confidential information, etc.). Only setups exposing the
orchestration dashboard in Horizon are affected.

Juno (development branch) fix:

Icehouse (milestone-proposed branch) fix:

Havana fix:

This fix will be included in the icehouse-rc2 development milestone and
in a future 2013.2.4 release.


Tristan Cacqueray
OpenStack Vulnerability Management Team

Download attachment "signature.asc" of type "application/pgp-signature" (556 bytes)

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ