CVE-2016-4428
Published: 12 July 2016
Cross-site scripting (XSS) vulnerability in OpenStack Dashboard (Horizon) 8.0.1 and earlier and 9.0.0 through 9.0.1 allows remote authenticated users to inject arbitrary web script or HTML by injecting an AngularJS template in a dashboard form.
Priority
Status
Package | Release | Status |
---|---|---|
horizon
Launchpad, Ubuntu, Debian |
precise |
Ignored
(end of life)
|
trusty |
Released
(1:2014.1.5-0ubuntu2.1)
|
|
upstream |
Needs triage
|
|
wily |
Ignored
(end of life)
|
|
xenial |
Not vulnerable
(2:9.1.2-0ubuntu1)
|
|
yakkety |
Ignored
(end of life)
|
|
zesty |
Not vulnerable
(3:11.0.3-0ubuntu1)
|
|
Patches:
upstream: https://review.openstack.org/#/c/329998/ upstream: https://review.openstack.org/#/c/329997/ vendor: https://anonscm.debian.org/cgit/openstack/services/horizon.git/commit/?h=debian/icehouse |
Severity score breakdown
Parameter | Value |
---|---|
Base score | 5.4 |
Attack vector | Network |
Attack complexity | Low |
Privileges required | Low |
User interaction | Required |
Scope | Changed |
Confidentiality | Low |
Integrity impact | Low |
Availability impact | None |
Vector | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N |