Comment 11 for bug 977944

Proposed description. Feedback welcome.

Title: XSS vulnerability in Horizon log viewer
Impact: High
Reporter: J. Daniel Schmidt <email address hidden>
Products: Horizon
Affects: All versions

Description:
J. Daniel Schmidt reported a vulnerability in Horizon. He noted that the log viewer refreshing mechanism does not escape the data fetched from guest consoles. This means that HTML with Javascript code gets interpreted as such, resulting in the ability to inject code into a dashboard session.