Title: XSS in Horizon-Orchestration
Reporter: Cristian Fiorentino
Products: Horizon
Versions: 2013.2.1 version up to 2013.2.2
Description:
Cristian Fiorentino from Intel reported a vulnerability in Horizon Orchestration dashboard. By tricking a Horizon user, a malicious templates owner/catalog, may trigger an XSS when a malicious template is used in the Orchestration/Stack section of Horizon, resulting in potential assets theft (Horizon user/admin access credentials (session cookies/CSRF tokens), VMs/Network configuration/management, tenants confidential informartion, etc.). Only setups using Heat and Horizon are affected.
I'm really sorry, I meant cristian* !
Here is impact description #1
Title: XSS in Horizon- Orchestration
Reporter: Cristian Fiorentino
Products: Horizon
Versions: 2013.2.1 version up to 2013.2.2
Description: management, tenants confidential informartion, etc.). Only setups using Heat and Horizon are affected.
Cristian Fiorentino from Intel reported a vulnerability in Horizon Orchestration dashboard. By tricking a Horizon user, a malicious templates owner/catalog, may trigger an XSS when a malicious template is used in the Orchestration/Stack section of Horizon, resulting in potential assets theft (Horizon user/admin access credentials (session cookies/CSRF tokens), VMs/Network configuration/