yahoo-eng-team team mailing list archive

[Heather Lemon <1940450@xxxxxxxxxxxxxxxxxx>]

We've decided to drop this issue while testing for the vulnerability and
was unable to recreate the issue. The product team is also not willing
to update the package on the basis that there is no way to exploit the
vulnerability within Horizon.

If we do find an exploit we would be happy to repopen the issue.

** Changed in: python-xstatic-bootstrap-scss (Ubuntu)
       Status: New => Won't Fix

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Dashboard (Horizon).
https://bugs.launchpad.net/bugs/1940450

Title:
  XSS The data-template attribute of the tooltip and popover plugins
  lacks input sanitization and may allow attacker to execute arbitrary
  JavaScript.

Status in Ubuntu Cloud Archive:
  New
Status in OpenStack Dashboard (Horizon):
  Invalid
Status in OpenStack Security Advisory:
  Invalid
Status in horizon package in Ubuntu:
  New
Status in python-xstatic-bootstrap-scss package in Ubuntu:
  Won't Fix

Bug description:
  The data-template attribute of the tooltip and popover plugins lacks
  input sanitization and may allow attacker to execute arbitrary
  JavaScript.

  github source: https://github.com/twbs/bootstrap/pull/28236
  github upstream MR: https://github.com/twbs/bootstrap/pull/28236/commits/5efa9b531d25927b907e3fa24b818608bc38a2f0
  ubuntu-cve https://ubuntu.com/security/CVE-2019-8331

  openstack-dashboard,from xenial UCA, python-django-horizon version 13.0.2-0ubuntu3~cloud0
  `pull-uca-source python-django-horizon 3:13.0.2-0ubuntu3~cloud0`

To manage notifications about this bug go to:
https://bugs.launchpad.net/cloud-archive/+bug/1940450/+subscriptions