Your submission was sent successfully! Close

CVE-2015-3219

Published: 20 August 2015

Cross-site scripting (XSS) vulnerability in the Orchestration/Stack section in OpenStack Dashboard (Horizon) 2014.2 before 2014.2.4 and 2015.1.x before 2015.1.1 allows remote attackers to inject arbitrary web script or HTML via the description parameter in a heat template, which is not properly handled in the help_text attribute in the Field class.

Priority

Medium

Status

Package Release Status
horizon
Launchpad, Ubuntu, Debian
Upstream
Released (2015.1.1)
Ubuntu 14.04 ESM (Trusty Tahr) Does not exist
(trusty was not-affected [1:2014.1.5-0ubuntu1])
Patches:
Upstream: https://review.openstack.org/#/c/189985/ (icehouse)
Upstream: https://review.openstack.org/189821 (juno)
Upstream: https://review.openstack.org/189822 (kilo)
Upstream: https://review.openstack.org/189820 (liberty)