OSSA-2015-010: XSS in Horizon Heat stack creation

OSSA-2015-010: XSS in Horizon Heat stack creation

Date:June 09, 2015
CVE:CVE-2015-3219

Affects

  • Horizon: 2014.2 versions through 2014.2.3 and version 2015.1.0

Description

Nikita Konovalov from Mirantis reported a vulnerability in Horizon. By tricking a Horizon user into using a malicious template in the Orchestration/Stack section of Horizon, a remote attacker may trigger a cross-site-scripting vulnerability during the stack creation. It may result in potential assets theft like user access credentials. Only setups exposing the orchestration dashboard in Horizon are affected.

Credits

  • Nikita Konovalov from Mirantis (CVE-2015-3219)

Notes

  • This fix will be included in future 2014.2.4 (juno) and 2015.1.1 (kilo) releases.
Creative Commons Attribution 3.0 License

Except where otherwise noted, this document is licensed under Creative Commons Attribution 3.0 License. See all OpenStack Legal Documents.