Comment 15 for bug 1308727

It may help to initially expand the XSS acronym in the description for improved clarity and searchability. Here is a proposed alternative with some additional English grammar fixes:

Jason Hullinger from Hewlett Packard, Craig Lorentzen from Cisco and Michael Xin from Rackspace reported 3 cross-site scripting (XSS) vulnerabilities in Horizon. A malicious Orchestration template owner or catalog may conduct an XSS attack once a corrupted template is used in the Orchestration/Stack section of Horizon. A malicious Horizon user may store an XSS attack by creating a network with a corrupted name. A malicious Horizon administrator may store an XSS attack by creating a user with a corrupted email address. Once executed in a legitimate context these attacks may result in potential asset stealing (horizon user/admin access credentials, VMs/Network configuration/management, tenants' confidential information, etc.). All Horizon setups are affected.

Also worth confirming, the "Versions" header implies that no release prior to Havana (2013.2) is affected. Is this true? If prior unsupported releases may also be affected then this could more accurately be stated as "Versions: up to 2013.2.3, and 2014.1" (we simply won't release official backports to versions prior to 2013.2 but that doesn't mean they're unaffected by these vulnerabilities).