CVE-2015-3219 – python-django-horizon: XSS in Heat stack creation
https://notcve.org/view.php?id=CVE-2015-3219
Cross-site scripting (XSS) vulnerability in the Orchestration/Stack section in OpenStack Dashboard (Horizon) 2014.2 before 2014.2.4 and 2015.1.x before 2015.1.1 allows remote attackers to inject arbitrary web script or HTML via the description parameter in a heat template, which is not properly handled in the help_text attribute in the Field class. Vulnerabilidad de XSS en la sección Orchestration/Stack en OpenStack Dashboard (Horizon) 2014.2 en versiones anteriores a 2014.2.4 y 2015.1.x en versiones anteriores a 2015.1.1, permite a atacantes remotos inyectar secuencias de comandos web o HTML arbitrarios a través de la descripción de parámetros en una plantilla heat, la cual no se maneja correctamente en el atributo help_text en la clase Field. A cross-site scripting (XSS) flaw was found in the Horizon orchestration dashboard. An attacker able to trick a Horizon user into using a malicious template during the stack creation could use this flaw to perform an XSS attack on that user. • http://lists.openstack.org/pipermail/openstack-announce/2015-June/000361.html http://rhn.redhat.com/errata/RHSA-2015-1679.html http://www.debian.org/security/2016/dsa-3617 http://www.openwall.com/lists/oss-security/2015/06/09/7 http://www.oracle.com/technetwork/topics/security/bulletinjul2015-2511963.html http://www.securityfocus.com/bid/75109 https://bugs.launchpad.net/horizon/+bug/1453074 https://access.redhat.com/security/cve/CVE-2015-3219 https://bugzilla.redhat.com/sho • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2015-3988 – python-django-horizon: persistent XSS in Horizon metadata dashboard
https://notcve.org/view.php?id=CVE-2015-3988
Multiple cross-site scripting (XSS) vulnerabilities in OpenStack Dashboard (Horizon) 2015.1.0 allow remote authenticated users to inject arbitrary web script or HTML via the metadata to a (1) Glance image, (2) Nova flavor or (3) Host Aggregate. Múltiples vulnerabilidades de XSS en OpenStack Dashboard (Horizon) 2015.1.0 permiten a usuarios remotos autenticados inyectar secuencias de comandos web arbitrarios o HTML a través de los metadatos en (1) una imagen Glance, (2) un sabor Nova o (3) Host Aggregate. A flaw was discovered in the OpenStack dashboard (horizon) handling of metadata. Potentially untrusted data was displayed from OpenStack Image service (glance) images, OpenStack Compute (nova) flavors, or host aggregates without correct sanitization. The flaw could be used by an authenticated user to conduct an XSS attack. • http://rhn.redhat.com/errata/RHSA-2015-1679.html http://www.openwall.com/lists/oss-security/2015/05/12/9 http://www.openwall.com/lists/oss-security/2015/05/14/14 http://www.oracle.com/technetwork/topics/security/bulletinjul2015-2511963.html http://www.securityfocus.com/bid/74666 https://security.openstack.org/ossa/OSSA-2015-009.html https://access.redhat.com/security/cve/CVE-2015-3988 https://bugzilla.redhat.com/show_bug.cgi?id=1222871 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2014-8124 – python-django-horizon: denial of service via login page requests
https://notcve.org/view.php?id=CVE-2014-8124
OpenStack Dashboard (Horizon) before 2014.1.3 and 2014.2.x before 2014.2.1 does not properly handle session records when using a db or memcached session engine, which allows remote attackers to cause a denial of service via a large number of requests to the login page. OpenStack Dashboard (Horizon) anterior a 2014.1.3 y 2014.2.x anterior a 2014.2.1 no maneja correctamente los archivos de sesiones cuando utiliza un motor de sesión db o memcached, lo que permite a atacantes remotos causar una denegación de servicio a través de un número grande de solicitudes en la página de inicio de sesión. A denial of service flaw was found in the OpenStack Dashboard (horizon) when using the db or memcached session engine. An attacker could make repeated requests to the login page, which would result in a large number of unwanted backend session entries, possibly leading to a denial of service. • http://lists.fedoraproject.org/pipermail/package-announce/2015-January/147520.html http://lists.openstack.org/pipermail/openstack-announce/2014-December/000308.html http://lists.opensuse.org/opensuse-updates/2015-01/msg00040.html http://rhn.redhat.com/errata/RHSA-2015-0839.html http://rhn.redhat.com/errata/RHSA-2015-0845.html http://secunia.com/advisories/61186 http://www.oracle.com/technetwork/topics/security/bulletinjan2015-2370101.html https://bugs.launchpad.net/horizon/+bug/1394370 https: • CWE-400: Uncontrolled Resource Consumption •
CVE-2014-8578 – openstack-horizon: multiple XSS flaws
https://notcve.org/view.php?id=CVE-2014-8578
Cross-site scripting (XSS) vulnerability in the Groups panel in OpenStack Dashboard (Horizon) before 2013.2.4, 2014.1 before 2014.1.2, and Juno before Juno-2 allows remote administrators to inject arbitrary web script or HTML via a user email address, a different vulnerability than CVE-2014-3475. Vulnerabilidad de XSS en el panel Groups en OpenStack Dashboard (Horizon) anterior a 2013.2.4, 2014.1 anterior a 2014.1.2, y Juno anterior a Juno-2 permite a administradores remotos inyectar secuencias de comandos web o HTML arbitrarios a través de una dirección de email de un usuarios, una vulnerabilidad diferente a CVE-2014-3475. • http://www.openwall.com/lists/oss-security/2014/07/08/6 http://www.securityfocus.com/bid/68456 https://bugs.launchpad.net/horizon/+bug/1320235 https://access.redhat.com/security/cve/CVE-2014-8578 https://bugzilla.redhat.com/show_bug.cgi?id=1116090 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2014-3594 – openstack-horizon: persistent XSS in Horizon Host Aggregates interface
https://notcve.org/view.php?id=CVE-2014-3594
Cross-site scripting (XSS) vulnerability in the Host Aggregates interface in OpenStack Dashboard (Horizon) before 2013.2.4, 2014.1 before 2014.1.2, and Juno before Juno-3 allows remote administrators to inject arbitrary web script or HTML via a new host aggregate name. Vulnerabilidad de XSS en la interfaz Host Aggregates en OpenStack Dashboard (Horizon) anterior a 2013.2.4, 2014.1 anterior a 2014.1.2, y Juno anterior a Juno-3 permite a administradores remotos inyectar secuencias de comandos web o HTML arbitrarios a través de un nombre de agregado de anfitrión nuevo. A persistent cross-site scripting (XSS) flaw was found in the horizon host aggregate interface. A user with sufficient privileges to add a host aggregate could potentially use this flaw to capture the credentials of another user. • http://lists.opensuse.org/opensuse-updates/2015-01/msg00040.html http://rhn.redhat.com/errata/RHSA-2014-1335.html http://rhn.redhat.com/errata/RHSA-2014-1336.html http://seclists.org/oss-sec/2014/q3/413 http://www.securityfocus.com/bid/69291 https://bugs.launchpad.net/horizon/+bug/1349491 https://exchange.xforce.ibmcloud.com/vulnerabilities/95378 https://review.openstack.org/#/c/115310 https://review.openstack.org/#/c/115311 https://review.openstack.org/# • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •