Comment 15 for bug 977944

As requested, here is the updated description that reflects Matthias as the reporter since he originally found the issue :

Title: XSS vulnerability in Horizon log viewer
Impact: High
Reporter: Matthias Weckbecker <email address hidden>
Products: Horizon
Affects: All versions

Description:
Matthias Weckbecker reported a vulnerability in Horizon. He noted that the log viewer refreshing mechanism does not escape the data fetched from guest consoles. This means that HTML with Javascript code gets interpreted as such, resulting in the ability to inject code into a dashboard session.