** Also affects: horizon/icehouse
Importance: Undecided
Status: New
** Changed in: horizon/icehouse
Milestone: None => 2014.1.2
** Changed in: horizon/icehouse
Status: New => Fix Released
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Dashboard (Horizon).
https://bugs.launchpad.net/bugs/1320235
Title:
[OSSA 2014-023] Stored XSS for /admin/users/ (CVE-2014-3475)
Status in OpenStack Dashboard (Horizon):
Fix Released
Status in OpenStack Dashboard (Horizon) icehouse series:
Fix Released
Status in OpenStack Security Advisories:
Fix Released
Bug description:
The /admin/users/ page does not output encode users' email addresses
correctly. Since there is no user input validation for the users'
email address during creation process. It is possible to inject script
tag into the email address. This is a stored cross site scripting
issue.
The issue can be abused to hijack user's session and implant malware,
etc.
For example, attached is a screen copy of Horizon for users with stored XSS
in action.
To manage notifications about this bug go to:
https://bugs.launchpad.net/horizon/+bug/1320235/+subscriptions
--
Mailing list: https://launchpad.net/~yahoo-eng-team
Post to : yahoo-eng-team@lists.launchpad.net
Unsubscribe : https://launchpad.net/~yahoo-eng-team
More help : https://help.launchpad.net/ListHelp
