OSSA-2015-010: XSS in Horizon Heat stack creation¶
June 09, 2015
Horizon: 2014.2 versions through 2014.2.3 and version 2015.1.0
Nikita Konovalov from Mirantis reported a vulnerability in Horizon. By tricking a Horizon user into using a malicious template in the Orchestration/Stack section of Horizon, a remote attacker may trigger a cross-site-scripting vulnerability during the stack creation. It may result in potential assets theft like user access credentials. Only setups exposing the orchestration dashboard in Horizon are affected.
Nikita Konovalov from Mirantis (CVE-2015-3219)
This fix will be included in future 2014.2.4 (juno) and 2015.1.1 (kilo) releases.