** Also affects: horizon/havana Importance: Undecided Status: New
** Changed in: horizon/havana Status: New => Fix Committed ** Changed in: horizon/havana Milestone: None => 2013.2.4 -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to OpenStack Dashboard (Horizon). https://bugs.launchpad.net/bugs/1322197 Title: [OSSA 2014-023] Persistent XSS in OpenStack Havana UI for Network Name (CVE-2014-3474) Status in OpenStack Dashboard (Horizon): Fix Released Status in OpenStack Dashboard (Horizon) havana series: Fix Committed Status in OpenStack Dashboard (Horizon) icehouse series: Fix Released Status in OpenStack Security Advisories: Fix Released Bug description: Received 2014-05-20 18:52:34 UTC via encrypted E-mail from "Craig Lorentzen (crlorent)" <crlor...@cisco.com>: Hello Jeremy, This is Craig Lorentzen from the Product Security Incident Response Team (PSIRT) at Cisco Systems. The purpose of this email is to disclose to you a vulnerability that was found during testing of a Cisco Product using OpenStack. Below please find the original discoverer's notes. Please let us know if there is anything else you need regarding this. Please also provide a tracking number for our records. ----- Headline: Persistent XSS in OpenStack Havana UI for Network Name Platforms: OpenStack Horizon Versions: Havana CVSS Score: 9.0 CVSS Vector: AV:N/AC:L/Au:S/C:C/I:C/A:C/E:POC/RL:U/RC:C CWE Tags: The Openstack Horizon user interface is vulnerable to XSS. The Network Name parameter is not properly sanitized to prevent javascript injection, leading to persistent XSS. Steps to reproduce: 1) Create a new network. Use: <script>alert(1);</script> for the network name. Disable both Subnet -> Create Subnet and Subnet Detail -> Enable DHCP. Choose Create. 2) Select Instances -> Launch Instance. Receive alert. Recommendations: - Sanitize the rendering of "Network Name" string to prevent XSS. - Consider utilizing Content Security Policy (CSP). This can be used to prevent inline javascript from executing & only load Javascript files from approved domains. This would prevent XSS, even in scenarios where user input is not properly sanitized. ----- Thank You, Craig Lorentzen Incident Manager Cisco Product Security Incident Response Team Security Research and Operations Office: 919.574.5680 Email: crlor...@cisco.com SIO: http://www.cisco.com/security PGP: 0x30A6C8ED To manage notifications about this bug go to: https://bugs.launchpad.net/horizon/+bug/1322197/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp