22 results (0.006 seconds)

CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0

Open Redirect vulnerability in Horizon Web Dashboard 19.4.0 thru 20.1.4 via the success_url parameter. • https://bugs.launchpad.net/horizon/+bug/1982676 https://github.com/openstack/horizon/blob/master/horizon/workflows/views.py#L96-L102 https://lists.debian.org/debian-lts-announce/2023/11/msg00033.html https://lists.debian.org/debian-lts-announce/2023/12/msg00000.html • CWE-601: URL Redirection to Untrusted Site ('Open Redirect') •

CVSS: 6.1EPSS: 0%CPEs: 5EXPL: 1

An issue was discovered in OpenStack Horizon before 15.3.2, 16.x before 16.2.1, 17.x and 18.x before 18.3.3, 18.4.x, and 18.5.x. There is a lack of validation of the "next" parameter, which would allow someone to supply a malicious URL in Horizon that can cause an automatic redirect to the provided malicious URL. Se detectó un problema en OpenStack Horizon versiones 15.3.2, versiones 16.x anteriores a 16.2.1, versiones 17.x y versiones 18.x anteriores a 18.3.3, versiones 18.4.x y 18.5.x. Se presenta una falta de comprobación del parámetro "next", lo que permitiría a alguien proporcionar una URL maliciosa en Horizon que puede causar un redireccionamiento automático a la URL maliciosa proporcionada A flaw was found in python-django-horizon. The "next" parameter is not correctly validated allowing a remote attacker to supply a malicious URL in the dashboard that could cause an automatic redirect to the provided malicious site. • http://www.openwall.com/lists/oss-security/2020/12/08/2 https://bugs.launchpad.net/horizon/+bug/1865026 https://review.opendev.org/c/openstack/horizon/+/758841 https://review.opendev.org/c/openstack/horizon/+/758843 https://security.openstack.org/ossa/OSSA-2020-008.html https://www.debian.org/security/2020/dsa-4820 https://access.redhat.com/security/cve/CVE-2020-29565 https://bugzilla.redhat.com/show_bug.cgi?id=1811510 • CWE-601: URL Redirection to Untrusted Site ('Open Redirect') •

CVSS: 5.5EPSS: 0%CPEs: 6EXPL: 1

The file /etc/openstack-dashboard/local_settings within Red Hat OpenStack Platform 2.0 and RHOS Essex Release (python-django-horizon package before 2012.1.1) is world readable and exposes the secret key value. El archivo /etc/openstack-dashboard/local_settings dentro de Red Hat OpenStack Platform versión 2.0 y RHOS Essex Release (paquete python-django-horizon versiones anteriores a la versión 2012.1.1) es de tipo world readable y expone el valor de la clave secreta. • http://lists.fedoraproject.org/pipermail/package-announce/2012-November/092841.html https://access.redhat.com/security/cve/cve-2012-5474 https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2012-5474 https://security-tracker.debian.org/tracker/CVE-2012-5474 • CWE-311: Missing Encryption of Sensitive Data •

CVSS: 5.5EPSS: 0%CPEs: 4EXPL: 0

Within the RHOS Essex Preview (2012.2) of the OpenStack dashboard package, the file /etc/quantum/quantum.conf is world readable which exposes the admin password and token value. En RHOS Essex Preview (versión 2012.2) del paquete del panel de control de OpenStack, el archivo /etc/quantum/quantum.conf es de tipo world readable y expone la contraseña de administrador y el valor del token. • https://access.redhat.com/security/cve/cve-2012-5476 https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2012-5476 https://security-tracker.debian.org/tracker/CVE-2012-5476 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •

CVSS: 4.8EPSS: 0%CPEs: 19EXPL: 0

OpenStack Horizon 9.x through 9.1.1, 10.x through 10.0.2, and 11.0.0 allows remote authenticated administrators to conduct XSS attacks via a crafted federation mapping. OpenStack Horizon 9.x a través de 9.1.1, 10.x en versiones hasta 10.0.2 y 11.0.0 permite a los administradores autenticados remotos realizar ataques XSS a través de una asignación de federación manipulada. A cross-site scripting flaw was discovered in the OpenStack dashboard (horizon) which allowed remote authenticated administrators to conduct XSS attacks using a crafted federation mapping rule. For this flaw to be exploited, federation mapping must be enabled in the dashboard. • http://www.securityfocus.com/bid/97324 https://access.redhat.com/errata/RHSA-2017:1598 https://access.redhat.com/errata/RHSA-2017:1739 https://launchpad.net/bugs/1667086 https://access.redhat.com/security/cve/CVE-2017-7400 https://bugzilla.redhat.com/show_bug.cgi?id=1439626 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •