CVE-2016-4428 – python-django-horizon: XSS in client side template
https://notcve.org/view.php?id=CVE-2016-4428
Cross-site scripting (XSS) vulnerability in OpenStack Dashboard (Horizon) 8.0.1 and earlier and 9.0.0 through 9.0.1 allows remote authenticated users to inject arbitrary web script or HTML by injecting an AngularJS template in a dashboard form. Vulnerabilidad de XSS en OpenStack Dashboard (Horizon) 8.0.1 y versiones anteriores y 9.0.0 hasta la versión 9.0.1 permite a usuarios remotos autenticados inyectar secuencias de comandos web o HTML arbitrario inyectando una plantilla AngularJS en un formulario del cuadro de mandos. A DOM-based, cross-site scripting vulnerability was found in the OpenStack dashboard, where user input was not filtered correctly. An authenticated dashboard user could exploit the flaw by injecting an AngularJS template into a dashboard form (for example, using an image's description), triggering the vulnerability when another user browsed the affected page. As a result, this flaw could result in user accounts being compromised (for example, user-access credentials being stolen). • http://www.debian.org/security/2016/dsa-3617 http://www.openwall.com/lists/oss-security/2016/06/17/4 https://access.redhat.com/errata/RHSA-2016:1268 https://access.redhat.com/errata/RHSA-2016:1269 https://access.redhat.com/errata/RHSA-2016:1270 https://access.redhat.com/errata/RHSA-2016:1271 https://access.redhat.com/errata/RHSA-2016:1272 https://bugs.launchpad.net/horizon/+bug/1567673 https://review.openstack.org/329996 https://review.openstack.org/329997 https • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2015-3219 – python-django-horizon: XSS in Heat stack creation
https://notcve.org/view.php?id=CVE-2015-3219
Cross-site scripting (XSS) vulnerability in the Orchestration/Stack section in OpenStack Dashboard (Horizon) 2014.2 before 2014.2.4 and 2015.1.x before 2015.1.1 allows remote attackers to inject arbitrary web script or HTML via the description parameter in a heat template, which is not properly handled in the help_text attribute in the Field class. Vulnerabilidad de XSS en la sección Orchestration/Stack en OpenStack Dashboard (Horizon) 2014.2 en versiones anteriores a 2014.2.4 y 2015.1.x en versiones anteriores a 2015.1.1, permite a atacantes remotos inyectar secuencias de comandos web o HTML arbitrarios a través de la descripción de parámetros en una plantilla heat, la cual no se maneja correctamente en el atributo help_text en la clase Field. A cross-site scripting (XSS) flaw was found in the Horizon orchestration dashboard. An attacker able to trick a Horizon user into using a malicious template during the stack creation could use this flaw to perform an XSS attack on that user. • http://lists.openstack.org/pipermail/openstack-announce/2015-June/000361.html http://rhn.redhat.com/errata/RHSA-2015-1679.html http://www.debian.org/security/2016/dsa-3617 http://www.openwall.com/lists/oss-security/2015/06/09/7 http://www.oracle.com/technetwork/topics/security/bulletinjul2015-2511963.html http://www.securityfocus.com/bid/75109 https://bugs.launchpad.net/horizon/+bug/1453074 https://access.redhat.com/security/cve/CVE-2015-3219 https://bugzilla.redhat.com/sho • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2015-3988 – python-django-horizon: persistent XSS in Horizon metadata dashboard
https://notcve.org/view.php?id=CVE-2015-3988
Multiple cross-site scripting (XSS) vulnerabilities in OpenStack Dashboard (Horizon) 2015.1.0 allow remote authenticated users to inject arbitrary web script or HTML via the metadata to a (1) Glance image, (2) Nova flavor or (3) Host Aggregate. Múltiples vulnerabilidades de XSS en OpenStack Dashboard (Horizon) 2015.1.0 permiten a usuarios remotos autenticados inyectar secuencias de comandos web arbitrarios o HTML a través de los metadatos en (1) una imagen Glance, (2) un sabor Nova o (3) Host Aggregate. A flaw was discovered in the OpenStack dashboard (horizon) handling of metadata. Potentially untrusted data was displayed from OpenStack Image service (glance) images, OpenStack Compute (nova) flavors, or host aggregates without correct sanitization. The flaw could be used by an authenticated user to conduct an XSS attack. • http://rhn.redhat.com/errata/RHSA-2015-1679.html http://www.openwall.com/lists/oss-security/2015/05/12/9 http://www.openwall.com/lists/oss-security/2015/05/14/14 http://www.oracle.com/technetwork/topics/security/bulletinjul2015-2511963.html http://www.securityfocus.com/bid/74666 https://security.openstack.org/ossa/OSSA-2015-009.html https://access.redhat.com/security/cve/CVE-2015-3988 https://bugzilla.redhat.com/show_bug.cgi?id=1222871 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2014-8124 – python-django-horizon: denial of service via login page requests
https://notcve.org/view.php?id=CVE-2014-8124
OpenStack Dashboard (Horizon) before 2014.1.3 and 2014.2.x before 2014.2.1 does not properly handle session records when using a db or memcached session engine, which allows remote attackers to cause a denial of service via a large number of requests to the login page. OpenStack Dashboard (Horizon) anterior a 2014.1.3 y 2014.2.x anterior a 2014.2.1 no maneja correctamente los archivos de sesiones cuando utiliza un motor de sesión db o memcached, lo que permite a atacantes remotos causar una denegación de servicio a través de un número grande de solicitudes en la página de inicio de sesión. A denial of service flaw was found in the OpenStack Dashboard (horizon) when using the db or memcached session engine. An attacker could make repeated requests to the login page, which would result in a large number of unwanted backend session entries, possibly leading to a denial of service. • http://lists.fedoraproject.org/pipermail/package-announce/2015-January/147520.html http://lists.openstack.org/pipermail/openstack-announce/2014-December/000308.html http://lists.opensuse.org/opensuse-updates/2015-01/msg00040.html http://rhn.redhat.com/errata/RHSA-2015-0839.html http://rhn.redhat.com/errata/RHSA-2015-0845.html http://secunia.com/advisories/61186 http://www.oracle.com/technetwork/topics/security/bulletinjan2015-2370101.html https://bugs.launchpad.net/horizon/+bug/1394370 https: • CWE-400: Uncontrolled Resource Consumption •
CVE-2014-8578 – openstack-horizon: multiple XSS flaws
https://notcve.org/view.php?id=CVE-2014-8578
Cross-site scripting (XSS) vulnerability in the Groups panel in OpenStack Dashboard (Horizon) before 2013.2.4, 2014.1 before 2014.1.2, and Juno before Juno-2 allows remote administrators to inject arbitrary web script or HTML via a user email address, a different vulnerability than CVE-2014-3475. Vulnerabilidad de XSS en el panel Groups en OpenStack Dashboard (Horizon) anterior a 2013.2.4, 2014.1 anterior a 2014.1.2, y Juno anterior a Juno-2 permite a administradores remotos inyectar secuencias de comandos web o HTML arbitrarios a través de una dirección de email de un usuarios, una vulnerabilidad diferente a CVE-2014-3475. • http://www.openwall.com/lists/oss-security/2014/07/08/6 http://www.securityfocus.com/bid/68456 https://bugs.launchpad.net/horizon/+bug/1320235 https://access.redhat.com/security/cve/CVE-2014-8578 https://bugzilla.redhat.com/show_bug.cgi?id=1116090 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •