XSS in noVNC
Bug #1656435 reported by
David Wyde
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Dashboard (Horizon) |
Invalid
|
Undecided
|
Unassigned | ||
OpenStack Security Advisory |
Invalid
|
Undecided
|
Unassigned |
Bug Description
I recently reported an XSS bug in noVNC, which has since been fixed in 0.6.2: https:/
Depending on how OpenStack pulls in the noVNC viewer, it might be worth a security note or release.
Vulnerability Summary:
It's possible to set up a malicious noVNC server, then send someone a
URL like http://
will use a WebSocket to connect to the malicious one, then display a
status message that runs JavaScript in the user's browser.
To post a comment you must log in.
I've added an invalid OSSA bugtask (indicating that the OpenStack VMT won't issue a formal advisory for this) as it's clearly class C2 in our report taxonomy: https:/ /security. openstack. org/vmt- process. html#incident- report- taxonomy
I've subscribed the security team reviewers in case they determine they would like to release a security note as you indicate. Due to the fact that the NoVNC vulnerabilities you've linked above are public, it probably makes little sense to work on this report under embargo but I'll let the OSSG CoreSec members make that determination.