yahoo-eng-team team mailing list archive

[Jeremy Stanley <1892848@xxxxxxxxxxxxxxxxxx>]

Given this bug report is over 4 years old and has been entirely inactive
for more than 3, it seems unlikely to rise to the level of urgency where
we'd issue an OSSA even if it did eventually get fixed. As such, I'm
closing the Security Advisory task as Won't Fix, but if there are any
dissenting opinions I'm happy to reopen and revisit that decision.

** Changed in: ossa
       Status: Incomplete => Won't Fix

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Dashboard (Horizon).
https://bugs.launchpad.net/bugs/1892848

Title:
  XSS in adding JavaScript into the ‘Subnet Name’ field

Status in OpenStack Dashboard (Horizon):
  Incomplete
Status in OpenStack Security Advisory:
  Won't Fix

Bug description:
  While testing v3.10 for a client, I found that there was Persistent
  XSS.

  This was performed by creating a network and then entering javascript
  into the subnet name. The user would then have to attach the network
  interface with the javascript present to an instance. After this when
  a user created a network bridge then the javascript would run.

  I only had one account when performing this test but believe it would
  run when other users where logged in using the same instance and
  network interface.

  -----------------------------------
  Release: 0.0.1.dev215 on 2020-06-16 21:33:43
  SHA: fbfe127c87f2e860efa7806eb9f6d6847d56ba07
  Source: https://opendev.org/openstack/ossa/src/doc/source/ossa/OSSA-2014-023.rst
  URL: https://security.openstack.org/ossa/OSSA-2014-023.html

To manage notifications about this bug go to:
https://bugs.launchpad.net/horizon/+bug/1892848/+subscriptions