CVE-2017-7400
python-django-horizon: XSS in federation mappings UI
Severity Score
4.8
*CVSS v3
Exploit Likelihood
*EPSS
Affected Versions
*CPE
Public Exploits
0
*Multiple Sources
Exploited in Wild
-
*KEV
Decision
-
*SSVC
Descriptions
OpenStack Horizon 9.x through 9.1.1, 10.x through 10.0.2, and 11.0.0 allows remote authenticated administrators to conduct XSS attacks via a crafted federation mapping.
OpenStack Horizon 9.x a través de 9.1.1, 10.x en versiones hasta 10.0.2 y 11.0.0 permite a los administradores autenticados remotos realizar ataques XSS a través de una asignación de federación manipulada.
A cross-site scripting flaw was discovered in the OpenStack dashboard (horizon) which allowed remote authenticated administrators to conduct XSS attacks using a crafted federation mapping rule. For this flaw to be exploited, federation mapping must be enabled in the dashboard.
OpenStack Dashboard provides administrators and users with a graphical interface to access, provision, and automate cloud-based resources. The following packages have been upgraded to a later upstream version: python-django-horizon. Security Fix: A cross-site scripting flaw was discovered in the OpenStack dashboard which allowed remote authenticated administrators to conduct XSS attacks using a crafted federation mapping rule. For this flaw to be exploited, federation mapping must be enabled in the dashboard.
*Credits:
N/A
CVSS Scores
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
Attack Vector
Attack Complexity
Authentication
Confidentiality
Integrity
Availability
* Common Vulnerability Scoring System
SSVC
- Decision:-
Exploitation
Automatable
Tech. Impact
* Organization's Worst-case Scenario
Timeline
- 2017-04-03 CVE Reserved
- 2017-04-03 CVE Published
- 2024-08-05 CVE Updated
- 2025-03-30 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CAPEC
References (6)
| URL | Tag | Source |
|---|---|---|
| http://www.securityfocus.com/bid/97324 | Third Party Advisory | |
| https://launchpad.net/bugs/1667086 | X_refsource_confirm |
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|---|---|
| https://access.redhat.com/errata/RHSA-2017:1598 | 2018-01-05 | |
| https://access.redhat.com/errata/RHSA-2017:1739 | 2018-01-05 | |
| https://access.redhat.com/security/cve/CVE-2017-7400 | 2017-07-12 | |
| https://bugzilla.redhat.com/show_bug.cgi?id=1439626 | 2017-07-12 |
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Openstack Search vendor "Openstack" | Horizon Search vendor "Openstack" for product "Horizon" | 9.0.0 Search vendor "Openstack" for product "Horizon" and version "9.0.0" | - |
Affected
| ||||||
| Openstack Search vendor "Openstack" | Horizon Search vendor "Openstack" for product "Horizon" | 9.0.0 Search vendor "Openstack" for product "Horizon" and version "9.0.0" | b1 |
Affected
| ||||||
| Openstack Search vendor "Openstack" | Horizon Search vendor "Openstack" for product "Horizon" | 9.0.0 Search vendor "Openstack" for product "Horizon" and version "9.0.0" | b2 |
Affected
| ||||||
| Openstack Search vendor "Openstack" | Horizon Search vendor "Openstack" for product "Horizon" | 9.0.0 Search vendor "Openstack" for product "Horizon" and version "9.0.0" | b3 |
Affected
| ||||||
| Openstack Search vendor "Openstack" | Horizon Search vendor "Openstack" for product "Horizon" | 9.0.0 Search vendor "Openstack" for product "Horizon" and version "9.0.0" | rc1 |
Affected
| ||||||
| Openstack Search vendor "Openstack" | Horizon Search vendor "Openstack" for product "Horizon" | 9.0.0 Search vendor "Openstack" for product "Horizon" and version "9.0.0" | rc2 |
Affected
| ||||||
| Openstack Search vendor "Openstack" | Horizon Search vendor "Openstack" for product "Horizon" | 9.0.1 Search vendor "Openstack" for product "Horizon" and version "9.0.1" | - |
Affected
| ||||||
| Openstack Search vendor "Openstack" | Horizon Search vendor "Openstack" for product "Horizon" | 9.1.0 Search vendor "Openstack" for product "Horizon" and version "9.1.0" | - |
Affected
| ||||||
| Openstack Search vendor "Openstack" | Horizon Search vendor "Openstack" for product "Horizon" | 9.1.1 Search vendor "Openstack" for product "Horizon" and version "9.1.1" | - |
Affected
| ||||||
| Openstack Search vendor "Openstack" | Horizon Search vendor "Openstack" for product "Horizon" | 10.0.0 Search vendor "Openstack" for product "Horizon" and version "10.0.0" | - |
Affected
| ||||||
| Openstack Search vendor "Openstack" | Horizon Search vendor "Openstack" for product "Horizon" | 10.0.0 Search vendor "Openstack" for product "Horizon" and version "10.0.0" | b1 |
Affected
| ||||||
| Openstack Search vendor "Openstack" | Horizon Search vendor "Openstack" for product "Horizon" | 10.0.0 Search vendor "Openstack" for product "Horizon" and version "10.0.0" | b2 |
Affected
| ||||||
| Openstack Search vendor "Openstack" | Horizon Search vendor "Openstack" for product "Horizon" | 10.0.0 Search vendor "Openstack" for product "Horizon" and version "10.0.0" | b3 |
Affected
| ||||||
| Openstack Search vendor "Openstack" | Horizon Search vendor "Openstack" for product "Horizon" | 10.0.0 Search vendor "Openstack" for product "Horizon" and version "10.0.0" | rc1 |
Affected
| ||||||
| Openstack Search vendor "Openstack" | Horizon Search vendor "Openstack" for product "Horizon" | 10.0.0 Search vendor "Openstack" for product "Horizon" and version "10.0.0" | rc2 |
Affected
| ||||||
| Openstack Search vendor "Openstack" | Horizon Search vendor "Openstack" for product "Horizon" | 10.0.0 Search vendor "Openstack" for product "Horizon" and version "10.0.0" | rc3 |
Affected
| ||||||
| Openstack Search vendor "Openstack" | Horizon Search vendor "Openstack" for product "Horizon" | 10.0.1 Search vendor "Openstack" for product "Horizon" and version "10.0.1" | - |
Affected
| ||||||
| Openstack Search vendor "Openstack" | Horizon Search vendor "Openstack" for product "Horizon" | 10.0.2 Search vendor "Openstack" for product "Horizon" and version "10.0.2" | - |
Affected
| ||||||
| Openstack Search vendor "Openstack" | Horizon Search vendor "Openstack" for product "Horizon" | 11.0.0 Search vendor "Openstack" for product "Horizon" and version "11.0.0" | - |
Affected
| ||||||