CVE-2015-3219
Published: 20 August 2015
Cross-site scripting (XSS) vulnerability in the Orchestration/Stack section in OpenStack Dashboard (Horizon) 2014.2 before 2014.2.4 and 2015.1.x before 2015.1.1 allows remote attackers to inject arbitrary web script or HTML via the description parameter in a heat template, which is not properly handled in the help_text attribute in the Field class.
Notes
| Author | Note |
|---|---|
| mdeslaur | will not be fixed before 14.10 goes EoL bug and review url says icehouse isn't affected |
Priority
Status
| Package | Release | Status |
|---|---|---|
|
horizon Launchpad, Ubuntu, Debian |
precise |
Not vulnerable
(code not present)
|
| trusty |
Does not exist
(trusty was not-affected [1:2014.1.5-0ubuntu1])
|
|
| upstream |
Released
(2015.1.1)
|
|
| utopic |
Ignored
(end of life)
|
|
| vivid |
Not vulnerable
(1:2015.1.1-0ubuntu1)
|
|
|
Patches: upstream: https://review.openstack.org/#/c/189985/ upstream: https://review.openstack.org/189821 upstream: https://review.openstack.org/189822 upstream: https://review.openstack.org/189820 |
||