Page 3 of 22 results (0.014 seconds)

CVSS: 4.3EPSS: 0%CPEs: 5EXPL: 1

CVE-2014-3594 – openstack-horizon: persistent XSS in Horizon Host Aggregates interface

https://notcve.org/view.php?id=CVE-2014-3594

Cross-site scripting (XSS) vulnerability in the Host Aggregates interface in OpenStack Dashboard (Horizon) before 2013.2.4, 2014.1 before 2014.1.2, and Juno before Juno-3 allows remote administrators to inject arbitrary web script or HTML via a new host aggregate name. Vulnerabilidad de XSS en la interfaz Host Aggregates en OpenStack Dashboard (Horizon) anterior a 2013.2.4, 2014.1 anterior a 2014.1.2, y Juno anterior a Juno-3 permite a administradores remotos inyectar secuencias de comandos web o HTML arbitrarios a través de un nombre de agregado de anfitrión nuevo. A persistent cross-site scripting (XSS) flaw was found in the horizon host aggregate interface. A user with sufficient privileges to add a host aggregate could potentially use this flaw to capture the credentials of another user. • http://lists.opensuse.org/opensuse-updates/2015-01/msg00040.html http://rhn.redhat.com/errata/RHSA-2014-1335.html http://rhn.redhat.com/errata/RHSA-2014-1336.html http://seclists.org/oss-sec/2014/q3/413 http://www.securityfocus.com/bid/69291 https://bugs.launchpad.net/horizon/+bug/1349491 https://exchange.xforce.ibmcloud.com/vulnerabilities/95378 https://review.openstack.org/#/c/115310 https://review.openstack.org/#/c/115311 https://review.openstack.org/# • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 4.3EPSS: 0%CPEs: 4EXPL: 0

CVE-2014-3473 – openstack-horizon: multiple XSS flaws

https://notcve.org/view.php?id=CVE-2014-3473

Cross-site scripting (XSS) vulnerability in the Orchestration/Stack section in the Horizon Orchestration dashboard in OpenStack Dashboard (Horizon) before 2013.2.4, 2014.1 before 2014.1.2, and Juno before Juno-2, when used with Heat, allows remote Orchestration template owners or catalogs to inject arbitrary web script or HTML via a crafted template. Vulnerabilidad de XSS en la sección Orchestration/Stack en el cuadro de mandos Horizon Orchestration en OpenStack Dashboard (Horizon) anterior a 2013.2.4, 2014.1 anterior a 2014.1.2, y Juno anterior a Juno-2, cuando utilizado con Heat, permite a dueños o catálogos de plantillas Orchestration inyectar secuencias de comandos web o HTML arbitrarios a través de una plantilla manipulada. • http://lists.opensuse.org/opensuse-updates/2015-01/msg00040.html http://www.openwall.com/lists/oss-security/2014/07/08/6 http://www.securityfocus.com/bid/68459 https://bugs.launchpad.net/horizon/+bug/1308727 https://access.redhat.com/security/cve/CVE-2014-3473 https://bugzilla.redhat.com/show_bug.cgi?id=1116090 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 4.3EPSS: 0%CPEs: 4EXPL: 1

CVE-2014-3474 – openstack-horizon: multiple XSS flaws

https://notcve.org/view.php?id=CVE-2014-3474

Cross-site scripting (XSS) vulnerability in horizon/static/horizon/js/horizon.instances.js in the Launch Instance menu in OpenStack Dashboard (Horizon) before 2013.2.4, 2014.1 before 2014.1.2, and Juno before Juno-2 allows remote authenticated users to inject arbitrary web script or HTML via a network name. Vulnerabilidad de XSS en horizon/static/horizon/js/horizon.instances.js en el menú Launch Instance en OpenStack Dashboard (Horizon) anterior a 2013.2.4, 2014.1 anterior a 2014.1.2, y Juno anterior a Juno-2 permite a usuarios remotos autenticados inyectar secuencias de comandos web o HTML arbitrarios a través de un nombre de red. • http://lists.opensuse.org/opensuse-updates/2015-01/msg00040.html http://www.openwall.com/lists/oss-security/2014/07/08/6 http://www.securityfocus.com/bid/68460 https://bugs.launchpad.net/horizon/+bug/1322197 https://review.openstack.org/#/c/105477 https://access.redhat.com/security/cve/CVE-2014-3474 https://bugzilla.redhat.com/show_bug.cgi?id=1116090 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 4.3EPSS: 0%CPEs: 4EXPL: 0

CVE-2014-3475 – openstack-horizon: multiple XSS flaws

https://notcve.org/view.php?id=CVE-2014-3475

Cross-site scripting (XSS) vulnerability in the Users panel (admin/users/) in OpenStack Dashboard (Horizon) before 2013.2.4, 2014.1 before 2014.1.2, and Juno before Juno-2 allows remote administrators to inject arbitrary web script or HTML via a user email address, a different vulnerability than CVE-2014-8578. Vulnerabilidad de XSS en el panel de usuarios (admin/users/) en OpenStack Dashboard (Horizon) anterior a 2013.2.4, 2014.1 anterior a 2014.1.2, y Juno anterior a Juno-2 permite a administradores remotos inyectar secuencias de comandos web o HTML arbitrarios a través de una dirección de email de un usuario, una vulnerabilidad diferente a CVE-2014-8578. • http://lists.opensuse.org/opensuse-updates/2015-01/msg00040.html http://www.openwall.com/lists/oss-security/2014/07/08/6 http://www.securityfocus.com/bid/68456 https://bugs.launchpad.net/horizon/+bug/1320235 https://access.redhat.com/security/cve/CVE-2014-3475 https://bugzilla.redhat.com/show_bug.cgi?id=1116090 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 0

CVE-2013-4471

https://notcve.org/view.php?id=CVE-2013-4471

The Identity v3 API in OpenStack Dashboard (Horizon) before 2013.2 does not require the current password when changing passwords for user accounts, which makes it easier for remote attackers to change a user password by leveraging the authentication token for that user. La API Identity v3 en OpenStack Dashboard (Horizon) anterior a 2013.2 no requiere la contraseña actual cuando cambia contraseñas para cuentas de usuarios, lo que facilita a atacantes remotos cambiar una contraseña de usuario mediante el aprovechamiento del token de autenticación para este usuario. • http://lists.openstack.org/pipermail/openstack/2013-November/003299.html https://bugs.launchpad.net/horizon/+bug/1237989 • CWE-287: Improper Authentication •