Some pages in Horizon appear to not validate the source information when displaying data provided in parameters, leading to a potential opportunity for phishing. For example, here:
https://git.openstack.org/cgit/openstack/horizon/tree/horizon/templates/auth/_login_form.html#n37
Imagine this scenario: Alice logs into Horizon, works for a while, then checks her email. An attacker has emailed her asking to check out something in Horizon and provides a clickable link whose href is:
http://myhorizonurl.com/dashboard/auth/login/?next=Error!+Please+try+this+url+instead:%00http://www.malwaredomain.com/
Since Alice is already logged in to Horizon, when she clicks the link she will see a "proper-looking" message in Horizon pointing her to another site where she might be further exploited. This might be avoided if the source of the parameters in the GET request were validated.
Note that AFAIK it's not possible to do markup in the message (e.g. to turn malwaredomain.com into a clickable link on the Horizon page) or actually create a redirect with this approach. In this particular case it also only works if the user is logged in already (otherwise Alice will get punted to the login screen and will get a 404 error after providing credentials).
Since this report concerns a possible security risk, an incomplete security advisory task has been added while the core security reviewers for the affected project or projects confirm the bug and discuss the scope of any vulnerability along with potential solutions.