Date: Tue, 09 Jun 2015 13:38:16 -0700 From: Tristan Cacqueray <tdecacqu@...hat.com> To: oss-security@...ts.openwall.com Subject: [OSSA 2015-010] XSS in Horizon Heat stack creation (CVE-2015-3219) ================================================= OSSA-2015-010: XSS in Horizon Heat stack creation ================================================= :Date: June 09, 2015 :CVE: CVE-2015-3219 Affects ~~~~~~~ - Horizon: 2014.2 versions through 2014.2.3 and version 2015.1.0 Description ~~~~~~~~~~~ Nikita Konovalov from Mirantis reported a vulnerability in Horizon. By tricking a Horizon user into using a malicious template in the Orchestration/Stack section of Horizon, a remote attacker may trigger a cross-site-scripting vulnerability during the stack creation. It may result in potential assets theft like user access credentials. Only setups exposing the orchestration dashboard in Horizon are affected. Patches ~~~~~~~ - https://review.openstack.org/189821 (Juno) - https://review.openstack.org/189822 (Kilo) - https://review.openstack.org/189820 (Liberty) Credits ~~~~~~~ - Nikita Konovalov from Mirantis (CVE-2015-3219) References ~~~~~~~~~~ - https://launchpad.net/bugs/1453074 - http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3219 Notes ~~~~~ - This fix will be included in future 2014.2.4 (juno) and 2015.1.1 (kilo) releases. -- Tristan Cacqueray OpenStack Vulnerability Management Team Download attachment "signature.asc" of type "application/pgp-signature" (474 bytes)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.