OSSA-2015-010: XSS in Horizon Heat stack creation

Date:

June 09, 2015

CVE:

CVE-2015-3219

Affects

  • Horizon: 2014.2 versions through 2014.2.3 and version 2015.1.0

Description

Nikita Konovalov from Mirantis reported a vulnerability in Horizon. By tricking a Horizon user into using a malicious template in the Orchestration/Stack section of Horizon, a remote attacker may trigger a cross-site-scripting vulnerability during the stack creation. It may result in potential assets theft like user access credentials. Only setups exposing the orchestration dashboard in Horizon are affected.

Patches

Credits

  • Nikita Konovalov from Mirantis (CVE-2015-3219)

References

Notes

  • This fix will be included in future 2014.2.4 (juno) and 2015.1.1 (kilo) releases.