OSSA-2012-004: XSS vulnerability in Horizon log viewer

OSSA-2012-004: XSS vulnerability in Horizon log viewer

Date

April 17, 2012

CVE

CVE-2012-2094

Affects

  • Horizon: All versions

Description

Matthias Weckbecker reported a vulnerability in Horizon. He noted that the log viewer refreshing mechanism does not escape the data fetched from guest consoles. This means that HTML with Javascript code gets interpreted as such, resulting in the ability to inject code into a dashboard session.

Credits

  • Matthias Weckbecker (CVE-2012-2094)

Creative Commons Attribution 3.0 License

Except where otherwise noted, this document is licensed under Creative Commons Attribution 3.0 License. See all OpenStack Legal Documents.