yahoo-eng-team team mailing list archive

["Gary W. Smith" <gary.smith@xxxxxxxx>]

It is my understanding, per the above, that this is a bug in a third-
party component that has been fixed, so closing the horizon portion of
this bug.  If this is not the case, then feel free to reopen the bug and
clarify.

** Changed in: horizon
       Status: New => Invalid

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Dashboard (Horizon).
https://bugs.launchpad.net/bugs/1656435

Title:
  XSS in noVNC

Status in OpenStack Dashboard (Horizon):
  Invalid
Status in OpenStack Security Advisory:
  Invalid

Bug description:
  I recently reported an XSS bug in noVNC, which has since been fixed in
  0.6.2: https://github.com/novnc/noVNC/issues/748.

  Depending on how OpenStack pulls in the noVNC viewer, it might be
  worth a security note or release.

  Vulnerability Summary:

  It's possible to set up a malicious noVNC server, then send someone a
  URL like http://GOOD_NOVNC/vnc_auto.html?host=BAD_NOVNC. The good noVNC
  will use a WebSocket to connect to the malicious one, then display a
  status message that runs JavaScript in the user's browser.

To manage notifications about this bug go to:
https://bugs.launchpad.net/horizon/+bug/1656435/+subscriptions