yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1567673] Re: [OSSA-2016-010] Possible client side template injection in horizon (CVE-2016-4428)

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Tristan Cacqueray <tdecacqu@xxxxxxxxxx>
Date: Fri, 17 Jun 2016 14:23:27 -0000
Reply-to: Bug 1567673 <1567673@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

** Changed in: ossa
       Status: Fix Committed => Fix Released

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Dashboard (Horizon).
https://bugs.launchpad.net/bugs/1567673

Title:
  [OSSA-2016-010] Possible client side template injection in horizon
  (CVE-2016-4428)

Status in OpenStack Dashboard (Horizon):
  Fix Released
Status in OpenStack Security Advisory:
  Fix Released

Bug description:
  I'm working through my groups process to deploy a new web app so that
  we can provide openstack in our production environment. Part of that
  process is having an authenticated security scan done by Acunetix.

  I've attached a screenshot of the report for the alert received during
  the scan.

  Unfortunately I'm not a dev, so I'm not sure if this is a false alarm
  or not.

  Quick research found the following link which talks about the issue in
  general: http://blog.portswigger.net/2016/01/xss-without-html-client-
  side-template.html

  Any input would be greatly appreciated.

  Thanks!
  Brandon

To manage notifications about this bug go to:
https://bugs.launchpad.net/horizon/+bug/1567673/+subscriptions