XSS in adding JavaScript into the ‘Subnet Name’ field

Bug #1900872 reported by Dorina Timbur
262
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Dashboard (Horizon)
New
Undecided
Unassigned
OpenStack Security Advisory
Incomplete
Undecided
Unassigned

Bug Description

As part of a penetration test done by a third party on a customer environment, it was found that by adding JavaScript into the ‘Subnet Name’ field, the JavaScript would trigger
when adding the network to an instance and then loading a network trunk.
The user needs permissions to create a network and edit an instance for this to trigger.
See attached screenshots for more details.
This is susceptible to a Cross-Site Scripting (XSS) vulnerability.

Tags: xss
Revision history for this message
Dorina Timbur (dorina-t) wrote :
Revision history for this message
Dorina Timbur (dorina-t) wrote :
Jeremy Stanley (fungi)
Changed in ossa:
status: New → Incomplete
Revision history for this message
Jeremy Stanley (fungi) wrote :

Since this report concerns a possible security risk, an incomplete
security advisory task has been added while the core security
reviewers for the affected project or projects confirm the bug and
discuss the scope of any vulnerability along with potential
solutions.

description: updated
Revision history for this message
Dorina Timbur (dorina-t) wrote :

Hi, this is the first time I've raised a potential security vulnerability bug, so if there's any additional information to provide, please let me know.

Revision history for this message
Jeremy Stanley (fungi) wrote :

At this point we're waiting for the Horizon project's security reviewers to help confirm the reported defect and idenify the extent of its impact. If they don't chime in soon I'll reach out to them directly in an attempt to get some resolution.

Revision history for this message
Jeremy Stanley (fungi) wrote :

We missed setting this to Public Security at the expiration of its embargo in January because it's set as a duplicate. I've switched it to Public Security now.

information type: Private Security → Public Security
description: updated
Revision history for this message
Vishal Manchanda (vishalmanchanda) wrote :

hi @dorina-t, Could you please more information about the steps to reproduce this bug?

To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.