OpenStack Dashboard (Horizon)

  1. Bug #1308727
  2. Comment #5

Comment 5 for bug 1308727

Revision history for this message
Paul McMillan (paul-mcmillan) wrote : Re: XSS in Horizon Heat template - resource name

A quick look at just the stacks dashboard shows:

This is probably the reported vulnerability:

https://github.com/openstack/horizon/blob/56addb790a40da1feae360f3f413dc1f539ed01a/openstack_dashboard/dashboards/project/stacks/templates/stacks/_detail_topology.html#L7

This is likely to be a vulnerability:
https://github.com/openstack/horizon/blob/56addb790a40da1feae360f3f413dc1f539ed01a/openstack_dashboard/dashboards/project/stacks/templates/stacks/_resource_overview.html#L15

This looks user-controlled, so also a problem:
https://github.com/openstack/horizon/blob/56addb790a40da1feae360f3f413dc1f539ed01a/openstack_dashboard/dashboards/project/stacks/templates/stacks/_stack_info.html#L14

Obviously I'm not going to open a new ticket about these separate issues that weren't in the original report, but as you can see, there's some fundamental problems. I didn't examine the rest of Horizon, someone should do that.