At least Juno and Kilo are affected, is Icehouse also affected ?
Assuming the description field is only rendered during the stack creation and there is no other ways to make it's content executed (like through a show_info url), here is the impact description draft:
Title: XSS in Horizon Heat stack creation
Reporter: Nikita Konovalov (Mirantis)
Products: Horizon
Affects: 2014.2 versions through 2014.2.3 and version 2015.1.0
Description:
Nikita Konovalov from Mirantis reported a vulnerability in Horizon. By tricking a Horizon user into using a malicious template in the Orchestration/Stack section of Horizon, a remote attacker may trigger a cross-site-scripting vulnerability during the stack creation. It may result in potential assets theft like user access credentials. Only setups exposing the orchestration dashboard in Horizon are affected.
At least Juno and Kilo are affected, is Icehouse also affected ?
Assuming the description field is only rendered during the stack creation and there is no other ways to make it's content executed (like through a show_info url), here is the impact description draft:
Title: XSS in Horizon Heat stack creation
Reporter: Nikita Konovalov (Mirantis)
Products: Horizon
Affects: 2014.2 versions through 2014.2.3 and version 2015.1.0
Description: scripting vulnerability during the stack creation. It may result in potential assets theft like user access credentials. Only setups exposing the orchestration dashboard in Horizon are affected.
Nikita Konovalov from Mirantis reported a vulnerability in Horizon. By tricking a Horizon user into using a malicious template in the Orchestration/Stack section of Horizon, a remote attacker may trigger a cross-site-