* I would title it "XSS in Horizon orchestration dashboard"
* the "By tricking" sentence is confusing. i would say "By tricking a Horizon user into using a malicious template in the Orchestration/Stack section of Horizon, a remote attacker may trigger a cross-site-scripting vulnerability. It may result in..."
* the double parenthesis listing the effects is very confusing. I would simplify it a lot.
* "Only setups using Heat and Horizon are affected." -- do you need to use Heat, or just the orchestration dashboard ? Or would rendering a template in Horizon (without using Heat) also trigger the issue ? In doubt I would just say "Only setups exposing the orchestration dashboard in Horizon are affected".
Impact description review:
* I would title it "XSS in Horizon orchestration dashboard" scripting vulnerability. It may result in..."
* the "By tricking" sentence is confusing. i would say "By tricking a Horizon user into using a malicious template in the Orchestration/Stack section of Horizon, a remote attacker may trigger a cross-site-
* the double parenthesis listing the effects is very confusing. I would simplify it a lot.
* "Only setups using Heat and Horizon are affected." -- do you need to use Heat, or just the orchestration dashboard ? Or would rendering a template in Horizon (without using Heat) also trigger the issue ? In doubt I would just say "Only setups exposing the orchestration dashboard in Horizon are affected".