Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Tue, 12 May 2015 14:37:35 -0400
From: Tristan Cacqueray <tristan.cacqueray@...vance.com>
To: oss-security@...ts.openwall.com, cve-assign@...re.org
Subject: CVE request for vulnerability in OpenStack Horizon

A vulnerability was discovered in OpenStack (see below). In order to
ensure full traceability, we need a CVE number assigned that we can
attach to further notifications. This issue is already public, although
an advisory was not sent yet.

Title: Persistent XSS in Horizon metadata dashboard
Reporter: Sunil Yadav (IBM)
Products: Horizon
Affects: version 2015.1.0

Description:
Sunil Yadav from IBM Security Services reported a persistent XSS in
Horizon. An authenticated user may conduct a persistent XSS attack by
setting a malicious metadata to a Glance image, a Nova flavor or a Host
Aggregate and tricking an administrator to load the update metadata
page. Once executed in a legitimate context this attack may result in a
privilege escalation. All Horizon setups are affected.

References:
https://launchpad.net/bugs/1449260

Thanks in advance,

--
Tristan Cacqueray
OpenStack Vulnerability Management Team


[ CONTENT OF TYPE application/pgp-signature SKIPPED ]

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ