OSSA-2012-004: XSS vulnerability in Horizon log viewer

OSSA-2012-004: XSS vulnerability in Horizon log viewer¶

Date:: April 17, 2012
CVE:: CVE-2012-2094

Affects¶

Horizon: All versions

Description¶

Matthias Weckbecker reported a vulnerability in Horizon. He noted that the log viewer refreshing mechanism does not escape the data fetched from guest consoles. This means that HTML with Javascript code gets interpreted as such, resulting in the ability to inject code into a dashboard session.

Patches¶

https://review.openstack.org/#/c/6621 (Essex)
https://review.openstack.org/#/c/6618 (Folsom)

Credits¶

Matthias Weckbecker (CVE-2012-2094)

References¶

this page last updated: 2024-03-18 15:52:07

Creative Commons Attribution 3.0 License

Except where otherwise noted, this document is licensed under Creative Commons Attribution 3.0 License. See all OpenStack Legal Documents.