Tristan:
Thanks. Please use rackspace. Have a great day.
Michael
Sent from my iPhone
> On May 27, 2014, at 3:48 PM, Tristan Cacqueray <email address hidden> wrote:
>
> @michael xin, I'm not sure what company should I credit in this OSSA,
> your Openstack community profile mention Rackspace, is this still
> correct ?
>
> --
> You received this bug notification because you are subscribed to the bug
> report.
> https://bugs.launchpad.net/bugs/1320235
>
> Title:
> Stored XSS for /admin/users/
>
> Status in OpenStack Dashboard (Horizon):
> Confirmed
> Status in OpenStack Security Advisories:
> Confirmed
>
> Bug description:
> The /admin/users/ page does not output encode users' email addresses
> correctly. Since there is no user input validation for the users'
> email address during creation process. It is possible to inject script
> tag into the email address. This is a stored cross site scripting
> issue.
>
> The issue can be abused to hijack user's session and implant malware,
> etc.
>
>
> For example, attached is a screen copy of Horizon for users with stored XSS in action.
>
> To manage notifications about this bug go to:
> https://bugs.launchpad.net/horizon/+bug/1320235/+subscriptions
Tristan:
Thanks. Please use rackspace. Have a great day.
Michael
Sent from my iPhone
> On May 27, 2014, at 3:48 PM, Tristan Cacqueray <email address hidden> wrote: /bugs.launchpad .net/bugs/ 1320235 /bugs.launchpad .net/horizon/ +bug/1320235/ +subscriptions
>
> @michael xin, I'm not sure what company should I credit in this OSSA,
> your Openstack community profile mention Rackspace, is this still
> correct ?
>
> --
> You received this bug notification because you are subscribed to the bug
> report.
> https:/
>
> Title:
> Stored XSS for /admin/users/
>
> Status in OpenStack Dashboard (Horizon):
> Confirmed
> Status in OpenStack Security Advisories:
> Confirmed
>
> Bug description:
> The /admin/users/ page does not output encode users' email addresses
> correctly. Since there is no user input validation for the users'
> email address during creation process. It is possible to inject script
> tag into the email address. This is a stored cross site scripting
> issue.
>
> The issue can be abused to hijack user's session and implant malware,
> etc.
>
>
> For example, attached is a screen copy of Horizon for users with stored XSS in action.
>
> To manage notifications about this bug go to:
> https:/