OSSA-2015-010: XSS in Horizon Heat stack creation

Date:June 09, 2015
CVE:CVE-2015-3219

Affects

  • Horizon: 2014.2 versions through 2014.2.3 and version 2015.1.0

Description

Nikita Konovalov from Mirantis reported a vulnerability in Horizon. By tricking a Horizon user into using a malicious template in the Orchestration/Stack section of Horizon, a remote attacker may trigger a cross-site-scripting vulnerability during the stack creation. It may result in potential assets theft like user access credentials. Only setups exposing the orchestration dashboard in Horizon are affected.

Credits

  • Nikita Konovalov from Mirantis (CVE-2015-3219)

Notes

  • This fix will be included in future 2014.2.4 (juno) and 2015.1.1 (kilo) releases.