On 04/17/2012 08:51 AM, Russell Bryant wrote: > OpenStack Security Advisory: 2012-004 > CVE: 2012-2094 > Date: April 17, 2012 > Title: XSS vulnerability in Horizon log viewer > Impact: High > Reporter: Matthias Weckbecker <[email protected]> > Products: Horizon > Affects: All versions
One clarification: this issue is *not* present in the stable/diablo branch of Horizon. > Description: > Matthias Weckbecker reported a vulnerability in Horizon. He noted that > the log viewer refreshing mechanism does not escape the data fetched > from guest consoles. This means that HTML with Javascript code gets > interpreted as such, resulting in the ability to inject code into a > dashboard session. > > Fixes: > Folsom: https://review.openstack.org/#/c/6618/ > 2012.1: https://review.openstack.org/#/c/6621/ > > References: > http://cve.mitre.org/cgi-bin/cvename.cgi?name=2012-2094 > https://bugs.launchpad.net/horizon/+bug/977944 > -- Russell Bryant _______________________________________________ Mailing list: https://launchpad.net/~openstack Post to : [email protected] Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
