2016-04-07 21:49:36 |
Brandon Sawyers |
bug |
|
|
added bug |
2016-04-07 21:49:36 |
Brandon Sawyers |
attachment added |
|
screenshot.png https://bugs.launchpad.net/bugs/1567673/+attachment/4628265/+files/screenshot.png |
|
2016-04-07 23:21:28 |
Tristan Cacqueray |
bug task added |
|
ossa |
|
2016-04-07 23:21:48 |
Tristan Cacqueray |
description |
I'm working through my groups process to deploy a new web app so that we can provide openstack in our production environment. Part of that process is having an authenticated security scan done by Acunetix.
I've attached a screenshot of the report for the alert received during the scan.
Unfortunately I'm not a dev, so I'm not sure if this is a false alarm or not.
Quick research found the following link which talks about the issue in general: http://blog.portswigger.net/2016/01/xss-without-html-client-side-template.html
Any input would be greatly appreciated.
Thanks!
Brandon |
This issue is being treated as a potential security risk under embargo. Please do not make any public mention of embargoed (private) security vulnerabilities before their coordinated publication by the OpenStack Vulnerability Management Team in the form of an official OpenStack Security Advisory. This includes discussion of the bug or associated fixes in public forums such as mailing lists, code review systems and bug trackers. Please also avoid private disclosure to other individuals not already approved for access to this information, and provide this same reminder to those who are made aware of the issue prior to publication. All discussion should remain confined to this private bug report, and any proposed fixes should be added to the bug as attachments.
--
I'm working through my groups process to deploy a new web app so that we can provide openstack in our production environment. Part of that process is having an authenticated security scan done by Acunetix.
I've attached a screenshot of the report for the alert received during the scan.
Unfortunately I'm not a dev, so I'm not sure if this is a false alarm or not.
Quick research found the following link which talks about the issue in general: http://blog.portswigger.net/2016/01/xss-without-html-client-side-template.html
Any input would be greatly appreciated.
Thanks!
Brandon |
|
2016-04-07 23:21:53 |
Tristan Cacqueray |
ossa: status |
New |
Incomplete |
|
2016-04-07 23:22:09 |
Tristan Cacqueray |
bug |
|
|
added subscriber Horizon Core security contacts |
2016-04-20 05:23:27 |
Lin Hua Cheng |
bug |
|
|
added subscriber Richard Jones |
2016-04-20 06:46:39 |
Richard Jones |
horizon: status |
New |
Confirmed |
|
2016-04-21 21:57:35 |
Brandon Sawyers |
attachment added |
|
screenshot.png https://bugs.launchpad.net/horizon/+bug/1567673/+attachment/4641979/+files/screenshot.png |
|
2016-05-03 05:59:57 |
Richard Jones |
attachment added |
|
angular-escape.patch https://bugs.launchpad.net/horizon/+bug/1567673/+attachment/4654111/+files/angular-escape.patch |
|
2016-05-09 15:40:01 |
Tristan Cacqueray |
bug |
|
|
added subscriber Morgan Fainberg |
2016-05-09 15:43:18 |
Tristan Cacqueray |
ossa: status |
Incomplete |
Confirmed |
|
2016-05-09 15:50:10 |
Tristan Cacqueray |
bug |
|
|
added subscriber OSSG CoreSec |
2016-05-12 20:09:16 |
Tristan Cacqueray |
ossa: status |
Confirmed |
Triaged |
|
2016-05-13 13:19:51 |
Tristan Cacqueray |
attachment added |
|
mitaka-angular-escape.patch https://bugs.launchpad.net/ossa/+bug/1567673/+attachment/4662140/+files/mitaka-angular-escape.patch |
|
2016-05-13 13:20:09 |
Tristan Cacqueray |
attachment added |
|
liberty-angular-escape.patch https://bugs.launchpad.net/ossa/+bug/1567673/+attachment/4662141/+files/liberty-angular-escape.patch |
|
2016-05-13 18:41:30 |
Tristan Cacqueray |
summary |
Possible client side template injection in horizon |
Possible client side template injection in horizon (CVE-2016-4428) |
|
2016-05-13 18:41:35 |
Tristan Cacqueray |
cve linked |
|
2016-4428 |
|
2016-05-13 18:41:46 |
Tristan Cacqueray |
ossa: status |
Triaged |
In Progress |
|
2016-05-13 19:47:34 |
Tristan Cacqueray |
attachment added |
|
newton-angular-escape.patch https://bugs.launchpad.net/ossa/+bug/1567673/+attachment/4662422/+files/newton-angular-escape.patch |
|
2016-05-13 19:47:48 |
Tristan Cacqueray |
attachment added |
|
mitaka-angular-escape.patch https://bugs.launchpad.net/ossa/+bug/1567673/+attachment/4662423/+files/mitaka-angular-escape.patch |
|
2016-05-13 19:48:16 |
Tristan Cacqueray |
attachment added |
|
liberty-angular-escape.patch https://bugs.launchpad.net/ossa/+bug/1567673/+attachment/4662424/+files/liberty-angular-escape.patch |
|
2016-05-13 19:48:46 |
Tristan Cacqueray |
attachment removed |
liberty-angular-escape.patch https://bugs.launchpad.net/ossa/+bug/1567673/+attachment/4662141/+files/liberty-angular-escape.patch |
|
|
2016-05-13 19:49:05 |
Tristan Cacqueray |
attachment removed |
mitaka-angular-escape.patch https://bugs.launchpad.net/ossa/+bug/1567673/+attachment/4662140/+files/mitaka-angular-escape.patch |
|
|
2016-06-08 08:51:19 |
Tristan Cacqueray |
ossa: status |
In Progress |
Fix Committed |
|
2016-06-15 15:02:01 |
Tristan Cacqueray |
information type |
Private Security |
Public |
|
2016-06-15 15:03:20 |
OpenStack Infra |
horizon: status |
Confirmed |
In Progress |
|
2016-06-15 15:03:20 |
OpenStack Infra |
horizon: assignee |
|
Tristan Cacqueray (tristan-cacqueray) |
|
2016-06-15 15:08:54 |
Tristan Cacqueray |
summary |
Possible client side template injection in horizon (CVE-2016-4428) |
[OSSA-2016-010] Possible client side template injection in horizon (CVE-2016-4428) |
|
2016-06-15 15:09:03 |
Tristan Cacqueray |
description |
This issue is being treated as a potential security risk under embargo. Please do not make any public mention of embargoed (private) security vulnerabilities before their coordinated publication by the OpenStack Vulnerability Management Team in the form of an official OpenStack Security Advisory. This includes discussion of the bug or associated fixes in public forums such as mailing lists, code review systems and bug trackers. Please also avoid private disclosure to other individuals not already approved for access to this information, and provide this same reminder to those who are made aware of the issue prior to publication. All discussion should remain confined to this private bug report, and any proposed fixes should be added to the bug as attachments.
--
I'm working through my groups process to deploy a new web app so that we can provide openstack in our production environment. Part of that process is having an authenticated security scan done by Acunetix.
I've attached a screenshot of the report for the alert received during the scan.
Unfortunately I'm not a dev, so I'm not sure if this is a false alarm or not.
Quick research found the following link which talks about the issue in general: http://blog.portswigger.net/2016/01/xss-without-html-client-side-template.html
Any input would be greatly appreciated.
Thanks!
Brandon |
I'm working through my groups process to deploy a new web app so that we can provide openstack in our production environment. Part of that process is having an authenticated security scan done by Acunetix.
I've attached a screenshot of the report for the alert received during the scan.
Unfortunately I'm not a dev, so I'm not sure if this is a false alarm or not.
Quick research found the following link which talks about the issue in general: http://blog.portswigger.net/2016/01/xss-without-html-client-side-template.html
Any input would be greatly appreciated.
Thanks!
Brandon |
|
2016-06-15 18:44:13 |
OpenStack Infra |
horizon: status |
In Progress |
Fix Released |
|
2016-06-17 11:37:59 |
OpenStack Infra |
tags |
|
in-stable-mitaka |
|
2016-06-17 14:18:05 |
OpenStack Infra |
tags |
in-stable-mitaka |
in-stable-liberty in-stable-mitaka |
|
2016-06-17 14:23:27 |
Tristan Cacqueray |
ossa: status |
Fix Committed |
Fix Released |
|
2016-07-21 13:21:03 |
Rob Cresswell |
horizon: milestone |
|
newton-2 |
|
2016-07-21 13:21:05 |
Rob Cresswell |
horizon: importance |
Undecided |
Critical |
|