OSSA-2013-036: Insufficient sanitization of Instance Name in Horizon

Date:

December 11, 2013

CVE:

CVE-2013-6858

Affects

  • Horizon: All supported releases

Description

Cisco PSIRT reported a vulnerability in the OpenStack Horizon dashboard. By embedding HTML tags in an Instance Name, a tenant may execute a script within an administrator’s browser resulting in a cross-site scripting (XSS) attack. Only setups using the Horizon dashboard are affected.

Patches

Credits

  • Cisco PSIRT from Cisco (CVE-2013-6858)

References