Draft advisory. Are you okay with this?
Proposing a coordinated release date of 2016-08-24 12:00 UTC
== draft ==
CVE-2016-6519: OpenStack manila-ui: Persistent XSS in Metadata field
It was discovered that the Metadata field in the "Create Share" form allows users to inject malicious HTML/JavaScript code that will be reflected in the "Shares" overview. The issue comes from a mark_safe() call on the user supplied metadata.
Remote, authenticated, but unprivileged users could exploit this vulnerability to escalate privileges by stealing session cookies.
Due to the size limitation of metadata strings the malicious payload needs to be split over multiple keys. In order to reproduce this issue, in Horizon, go to Project -> Compute -> Shares -> Create Share. In the Metadata field, add the following payload:
a=<script>alert("test")/*
b=*/<script>
As soon as the share is created, the payload is reflected in the browser. It will also be reflected each time the Shares list will be loaded (e.g. by clicking on Project -> Compute -> Shares).
The issue was discovered by Niklaus Schiess, the fix was provided by Valeriy Ponomaryov.
Draft advisory. Are you okay with this?
Proposing a coordinated release date of 2016-08-24 12:00 UTC
== draft ==
CVE-2016-6519: OpenStack manila-ui: Persistent XSS in Metadata field
It was discovered that the Metadata field in the "Create Share" form allows users to inject malicious HTML/JavaScript code that will be reflected in the "Shares" overview. The issue comes from a mark_safe() call on the user supplied metadata.
https:/ /github. com/openstack/ manila- ui/blob/ d5fe23e4ba30846 acdd09fa1dc61a4 15016a7e26/ manila_ ui/dashboards/ project/ shares/ shares/ tabs.py# L49
Remote, authenticated, but unprivileged users could exploit this vulnerability to escalate privileges by stealing session cookies.
Due to the size limitation of metadata strings the malicious payload needs to be split over multiple keys. In order to reproduce this issue, in Horizon, go to Project -> Compute -> Shares -> Create Share. In the Metadata field, add the following payload:
a=<script> alert(" test")/ *
b=*/<script>
As soon as the share is created, the payload is reflected in the browser. It will also be reflected each time the Shares list will be loaded (e.g. by clicking on Project -> Compute -> Shares).
The issue was discovered by Niklaus Schiess, the fix was provided by Valeriy Ponomaryov.
MITRE assigned CVE-2016-6519 to this issue. /bugs.launchpad .net/manila- ui/+bug/ 1597738 /bugzilla. suse.com/ show_bug. cgi?id= 988935 M/Au:S/ C:P/I:P/ A:P)
The upstream bug is https:/
The SUSE bug is https:/
SUSE's evaluation has a CVSS base score 6.0 (AV:N/AC:
== draft ==