Your submission was sent successfully! Close

CVE-2015-3219

Published: 20 August 2015

Cross-site scripting (XSS) vulnerability in the Orchestration/Stack section in OpenStack Dashboard (Horizon) 2014.2 before 2014.2.4 and 2015.1.x before 2015.1.1 allows remote attackers to inject arbitrary web script or HTML via the description parameter in a heat template, which is not properly handled in the help_text attribute in the Field class.

Notes

AuthorNote
mdeslaur
will not be fixed before 14.10 goes EoL
bug and review url says icehouse isn't affected
Priority

Medium

Status

Package Release Status
horizon
Launchpad, Ubuntu, Debian
precise Not vulnerable
(code not present)
trusty Does not exist
(trusty was not-affected [1:2014.1.5-0ubuntu1])
upstream
Released (2015.1.1)
utopic Ignored
(reached end-of-life)
vivid Not vulnerable
(1:2015.1.1-0ubuntu1)
wily Not vulnerable
(2:8.0.0~b3-0ubuntu1)
Patches:
upstream: https://review.openstack.org/#/c/189985/ (icehouse)
upstream: https://review.openstack.org/189821 (juno)
upstream: https://review.openstack.org/189822 (kilo)
upstream: https://review.openstack.org/189820 (liberty)