Comment 3 for bug 1396544

I've left this bug private, subscribed the Horizon core security reviewers and added an incomplete security advisory task until we can determine if this is a class A or class D. https://wiki.openstack.org/wiki/Vulnerability_Management#Incident_report_taxonomy