← Back to team overview

openstack team mailing list archive

[OSSA 2012-004] XSS vulnerability in Horizon log viewer


OpenStack Security Advisory: 2012-004
CVE: 2012-2094
Date: April 17, 2012
Title: XSS vulnerability in Horizon log viewer
Impact: High
Reporter: Matthias Weckbecker <mweckbecker@xxxxxxx>
Products: Horizon
Affects: All versions

Matthias Weckbecker reported a vulnerability in Horizon. He noted that
the log viewer refreshing mechanism does not escape the data fetched
from guest consoles. This means that HTML with Javascript code gets
interpreted as such, resulting in the ability to inject code into a
dashboard session.

  Folsom: https://review.openstack.org/#/c/6618/
  2012.1: https://review.openstack.org/#/c/6621/


Russell Bryant
OpenStack Vulnerability Management Team

Follow ups