Comment 6 for bug 1453074

At least Juno and Kilo are affected, is Icehouse also affected ?

Assuming the description field is only rendered during the stack creation and there is no other ways to make it's content executed (like through a show_info url), here is the impact description draft:

Title: XSS in Horizon Heat stack creation
Reporter: Nikita Konovalov (Mirantis)
Products: Horizon
Affects: 2014.2 versions through 2014.2.3 and version 2015.1.0

Description:
Nikita Konovalov from Mirantis reported a vulnerability in Horizon. By tricking a Horizon user into using a malicious template in the Orchestration/Stack section of Horizon, a remote attacker may trigger a cross-site-scripting vulnerability during the stack creation. It may result in potential assets theft like user access credentials. Only setups exposing the orchestration dashboard in Horizon are affected.