Comment 4 for bug 1892848

Revision history for this message
Jeremy Stanley (fungi) wrote : Re: Persistent XSS found in the horizon dashboard v3.10

Dorina Timbur also reported this more recently. Quoting from the duplicate bug:

"As part of a penetration test done by a third party on a customer environment, it was found that by adding JavaScript into the ‘Subnet Name’ field, the JavaScript would trigger when adding the network to an instance and then loading a network trunk. The user needs permissions to create a network and edit an instance for this to trigger. See attached screenshots for more details. This is susceptible to a Cross-Site Scripting (XSS) vulnerability."