[OSSA 2015-010] help_text parameter of fields is vulnerable to arbitrary html injection (CVE-2015-3219)
Bug #1453074 reported by
Nikita Konovalov
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Dashboard (Horizon) |
Fix Released
|
Medium
|
Lin Hua Cheng | ||
Juno |
Fix Released
|
Medium
|
Lin Hua Cheng | ||
Kilo |
Fix Released
|
Medium
|
Lin Hua Cheng | ||
OpenStack Security Advisory |
Fix Released
|
Medium
|
Tristan Cacqueray |
Bug Description
The Field class help_text attribute is vulnerable to code injection if the text is somehow taken from the user input.
Heat UI allows to create stacks from the user input which define parameters. Those parameters are then converted to the input field which are vulnerable.
The heat stack example exploit:
description: Does not matter
heat_template_
outputs: {}
parameters:
param1:
type: string
label: normal_label
description: hack=">
resources: {}
CVE References
Changed in ossa: | |
importance: | Undecided → Medium |
status: | Incomplete → Confirmed |
Changed in ossa: | |
status: | Confirmed → Triaged |
Changed in horizon: | |
assignee: | nobody → Lin Hua Cheng (lin-hua-cheng) |
status: | New → Triaged |
importance: | Undecided → Medium |
Changed in ossa: | |
assignee: | nobody → Tristan Cacqueray (tristan-cacqueray) |
status: | Triaged → In Progress |
Changed in horizon: | |
status: | Triaged → In Progress |
Changed in ossa: | |
status: | In Progress → Fix Committed |
information type: | Private Security → Public Security |
description: | updated |
summary: |
- help_text parameter of fields is vulnerable to arbitrary html injection - (CVE-2015-3219) + [OSSA 2015-010] help_text parameter of fields is vulnerable to arbitrary + html injection (CVE-2015-3219) |
Changed in horizon: | |
assignee: | Tristan Cacqueray (tristan-cacqueray) → Lin Hua Cheng (lin-hua-cheng) |
Changed in horizon: | |
milestone: | none → liberty-1 |
Changed in horizon: | |
status: | Fix Committed → Fix Released |
Changed in horizon: | |
milestone: | liberty-1 → 8.0.0 |
tags: | removed: in-stable-juno in-stable-kilo |
To post a comment you must log in.
Since this report concerns a possible security risk, an incomplete security advisory task has been added while the core security reviewers for the affected project or projects confirm the bug and discuss the scope of any vulnerability along with potential solutions.