CVE-2014-0157 – openstack-horizon: XSS in Horizon orchestration dashboard when using a malicious template
https://notcve.org/view.php?id=CVE-2014-0157
Cross-site scripting (XSS) vulnerability in the Horizon Orchestration dashboard in OpenStack Dashboard (aka Horizon) 2013.2 before 2013.2.4 and icehouse before icehouse-rc2 allows remote attackers to inject arbitrary web script or HTML via the description field of a Heat template. Vulnerabilidad de XSS en el dashboard de Horizon Orchestration en OpenStack Dashboard (también conocido como Horizon) 2013.2 anterior a 2013.2.4i y icehouse before icehouse-rc2 permite a atacantes remotos inyectar script Web o HTML arbitrarios a través del campo descripción de una plantilla Heat. • http://lists.opensuse.org/opensuse-updates/2015-01/msg00040.html http://www.openwall.com/lists/oss-security/2014/04/08/8 http://www.securityfocus.com/bid/66706 https://launchpad.net/bugs/1289033 https://access.redhat.com/security/cve/CVE-2014-0157 https://bugzilla.redhat.com/show_bug.cgi?id=1082858 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2013-6858 – openstack: horizon multiple XSS vulnerabilities.
https://notcve.org/view.php?id=CVE-2013-6858
Multiple cross-site scripting (XSS) vulnerabilities in OpenStack Dashboard (Horizon) 2013.2 and earlier allow local users to inject arbitrary web script or HTML via an instance name to (1) "Volumes" or (2) "Network Topology" page. Múltiples vulnerabilidades de XSS en OpenStack Dashboard (Horizon) 2013.2 y anteriores versiones permiten a usuarios locales inyectar script web o HTML arbitrario a través de un nombre de instancia en (1) "Volumes" o (2) "Network Topology". • http://lists.opensuse.org/opensuse-updates/2015-01/msg00040.html http://secunia.com/advisories/55770 http://secunia.com/advisories/56117 http://www.securityfocus.com/bid/63787 http://www.ubuntu.com/usn/USN-2062-1 https://bugs.launchpad.net/horizon/+bug/1247675 https://access.redhat.com/security/cve/CVE-2013-6858 https://bugzilla.redhat.com/show_bug.cgi?id=1034153 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2012-3540 – OpenStack-Horizon: Open redirect through 'next' parameter
https://notcve.org/view.php?id=CVE-2012-3540
Open redirect vulnerability in views/auth_forms.py in OpenStack Dashboard (Horizon) Essex (2012.1) allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the next parameter to auth/login/. NOTE: this issue was originally assigned CVE-2012-3542 by mistake. Una vulnerabilidad de redireción abierta en views/auth_forms.py en OpenStack Dashboard (Horizon) Essex (2012.1) permite a atacantes remotos redirigir a los usuarios a sitios web arbitrarios y llevar a cabo ataques de phishing a través de una URL en el parámetro siguiente a auth/login/. NOTA: este problema se le asignó originalmente CVE-2012-3542 por error • http://secunia.com/advisories/50480 http://www.openwall.com/lists/oss-security/2012/08/30/4 http://www.openwall.com/lists/oss-security/2012/08/30/5 http://www.securityfocus.com/bid/55329 http://www.ubuntu.com/usn/USN-1565-1 https://bugs.launchpad.net/horizon/+bug/1039077 https://exchange.xforce.ibmcloud.com/vulnerabilities/78196 https://github.com/openstack/horizon/commit/35eada8a27323c0f83c400177797927aba6bc99b https://lists.launchpad.net/openstack/msg16278.html https://lists.l • CWE-20: Improper Input Validation •
CVE-2012-3542 – Keystone: Lack of authorization for adding users to tenants
https://notcve.org/view.php?id=CVE-2012-3542
OpenStack Keystone, as used in OpenStack Folsom before folsom-rc1 and OpenStack Essex (2012.1), allows remote attackers to add an arbitrary user to an arbitrary tenant via a request to update the user's default tenant to the administrative API. NOTE: this identifier was originally incorrectly assigned to an open redirect issue, but the correct identifier for that issue is CVE-2012-3540. OpenStack Keystone, tal como se utiliza en OpenStack Folsom Folsom antes-rc1 y OpenStack Essex (2012.1), permite a atacantes remotos añadir un usuario arbitrario a través de una solicitud para actualizar el usuario por defecto para la API de administración. NOTA: este identificador originalmente fue incorrectamente asignado a otro problema, pero el identificador correcto es CVE-2012-3540. • http://secunia.com/advisories/50467 http://secunia.com/advisories/50494 http://www.openwall.com/lists/oss-security/2012/08/30/6 http://www.securityfocus.com/bid/55326 http://www.ubuntu.com/usn/USN-1552-1 https://bugs.launchpad.net/keystone/+bug/1040626 https://github.com/openstack/keystone/commit/5438d3b5a219d7c8fa67e66e538d325a61617155 https://github.com/openstack/keystone/commit/c13d0ba606f7b2bdc609a7f388334e5efec3f3aa https://lists.launchpad.net/openstack/msg16282.html https://access.redhat.com • CWE-264: Permissions, Privileges, and Access Controls •
CVE-2012-3426
https://notcve.org/view.php?id=CVE-2012-3426
OpenStack Keystone before 2012.1.1, as used in OpenStack Folsom before Folsom-1 and OpenStack Essex, does not properly implement token expiration, which allows remote authenticated users to bypass intended authorization restrictions by (1) creating new tokens through token chaining, (2) leveraging possession of a token for a disabled user account, or (3) leveraging possession of a token for an account with a changed password. OpenStack Keystone antes de v2012.1.1, como se usa en OpenStack Folsom antes de Folsom-1 y OpenStack Essex, no implementan apropiadamente la expiración de los token, lo que permite a usuarios autenticados remotamente evitar restricciones de acceso (1) creando nuevos token a través de la cadena de token, (2) aprovechando la posesión de un token de una cuenta de usuario deshabilitada o (3) aprovechando la posesión de un token de una cuenta con una contraseña cambiada • http://github.com/openstack/keystone/commit/29e74e73a6e51cffc0371b32354558391826a4aa http://github.com/openstack/keystone/commit/375838cfceb88cacc312ff6564e64eb18ee6a355 http://github.com/openstack/keystone/commit/628149b3dc6b58b91fd08e6ca8d91c728ccb8626 http://github.com/openstack/keystone/commit/a67b24878a6156eab17b9098fa649f0279256f5d http://github.com/openstack/keystone/commit/d9600434da14976463a0bd03abd8e0309f0db454 http://github.com/openstack/keystone/commit/ea03d05ed5de0c015042876100d37a6a14bf56de http://secunia.com/advisories/50045 http://secunia.com/advisories/50494 ht • CWE-264: Permissions, Privileges, and Access Controls •