OpenStack Security Advisory

  1. Bug #1567673
  2. Comment #32

Comment 32 for bug 1567673

Revision history for this message
Tristan Cacqueray (tristan-cacqueray) wrote : Re: Possible client side template injection in horizon

Oups, sorry about that. I also fixed a couple of typos, here is impact description draft #3:

Title: XSS in Horizon client side template
Reporter: Beth Lancaster and Brandon Sawyers (Virginia Tech)
Products: Horizon
Affects: <=8.0.0, 8.0.1 and 9.0.0

Description:
Beth Lancaster and Brandon Sawyers from Virginia Tech reported a vulnerability in Horizon. By injecting Angularjs template in dashboard forms, such as image's description, an authenticated user may trigger a cross-site-scripting vulnerability when another user browses the affected pages. It may result in potential assets theft like user access credentials. All Horizon setups are affected.