All patches are now merged, shouldn't series task be added to Horizon ? ** Changed in: ossa Status: Fix Committed => Fix Released
-- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to OpenStack Dashboard (Horizon). https://bugs.launchpad.net/bugs/1453074 Title: [OSSA 2015-010] help_text parameter of fields is vulnerable to arbitrary html injection (CVE-2015-3219) Status in OpenStack Dashboard (Horizon): Fix Committed Status in OpenStack Security Advisories: Fix Released Bug description: The Field class help_text attribute is vulnerable to code injection if the text is somehow taken from the user input. Heat UI allows to create stacks from the user input which define parameters. Those parameters are then converted to the input field which are vulnerable. The heat stack example exploit: description: Does not matter heat_template_version: '2013-05-23' outputs: {} parameters: param1: type: string label: normal_label description: hack="><script>alert('YOUR HORIZON IS PWNED')</script>" resources: {} To manage notifications about this bug go to: https://bugs.launchpad.net/horizon/+bug/1453074/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp