OSSA-2014-010: XSS in Horizon orchestration dashboard

OSSA-2014-010: XSS in Horizon orchestration dashboard

Date

April 08, 2014

CVE

CVE-2014-0157

Affects

  • Horizon: 2013.2 versions up to 2013.2.3

Description

Cristian Fiorentino from Intel reported a vulnerability in Horizon Orchestration dashboard. By tricking a Horizon user into using a malicious template in the Orchestration/Stack section of Horizon, a remote attacker may trigger a cross-site-scripting vulnerability. It may result in potential assets theft (Horizon user/admin access credentials, tenants confidential information, etc.). Only setups exposing the orchestration dashboard in Horizon are affected.

Credits

  • Cristian Fiorentino from Intel (CVE-2014-0157)

Creative Commons Attribution 3.0 License

Except where otherwise noted, this document is licensed under Creative Commons Attribution 3.0 License. See all OpenStack Legal Documents.