Swift object Cross Site Scripting (XSS) attack
Bug #1477432 reported by
Dmitry Russkikh
This bug affects 1 person
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| OpenStack Dashboard (Horizon) |
New
|
Undecided
|
Unassigned | ||
| OpenStack Security Advisory |
Won't Fix
|
Undecided
|
Unassigned | ||
Bug Description
Browser open *.http objects instead of download them.
XSS flaws occur when an application includes user supplied data in a page sent to the browser without properly validating or escaping that content
Cross-Site Scripting attacks are a type of injection attack, in which malicious scripts are injected into the otherwise benign and trusted web sites. Cross-site scripting (XSS) attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end user.
Affected URL:
/horizon/
Fix: browser should download but not open *.http objects
Revision history for this message
| Grant Murphy (gmurphy) wrote | #1 |
| description: | updated |
| Changed in ossa: | |
| status: | New → Incomplete |
Revision history for this message
| Tristan Cacqueray (tristan-cacqueray) wrote | #2 |
Revision history for this message
| Tristan Cacqueray (tristan-cacqueray) wrote | #3 |
| information type: | Private Security → Public |
| Changed in ossa: | |
| status: | Incomplete → Won't Fix |
| description: | updated |
To post a comment you must log in.
Since this report concerns a possible security risk, an incomplete security advisory task has been added while the core security reviewers for the affected project or projects confirm the bug and discuss the scope of any vulnerability along with potential solutions.