Bug 1034153 (CVE-2013-6858)
Summary: | CVE-2013-6858 openstack: horizon multiple XSS vulnerabilities. | ||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|
Product: | [Other] Security Response | Reporter: | Ratul Gupta <ratulg> | ||||||||
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> | ||||||||
Status: | CLOSED ERRATA | QA Contact: | |||||||||
Severity: | medium | Docs Contact: | |||||||||
Priority: | medium | ||||||||||
Version: | unspecified | CC: | aortega, apevec, ayoung, chrisw, dallan, gkotton, gmollett, iheim, jpichon, kseifried, lhh, markmc, mrunge, rbryant, rhos-maint, sclewis, yeylon | ||||||||
Target Milestone: | --- | Keywords: | Security | ||||||||
Target Release: | --- | ||||||||||
Hardware: | All | ||||||||||
OS: | Linux | ||||||||||
Whiteboard: | |||||||||||
Fixed In Version: | Doc Type: | Bug Fix | |||||||||
Doc Text: | Story Points: | --- | |||||||||
Clone Of: | Environment: | ||||||||||
Last Closed: | 2014-04-14 23:09:51 UTC | Type: | --- | ||||||||
Regression: | --- | Mount Type: | --- | ||||||||
Documentation: | --- | CRM: | |||||||||
Verified Versions: | Category: | --- | |||||||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||||
Cloudforms Team: | --- | Target Upstream Version: | |||||||||
Embargoed: | |||||||||||
Bug Depends On: | 1035910, 1035911, 1035912, 1035913, 1035914 | ||||||||||
Bug Blocks: | 1034155, 1035915 | ||||||||||
Attachments: |
|
Description
Ratul Gupta
2013-11-25 10:51:04 UTC
fix proposed upstream: https://review.openstack.org/#/c/58256/ (it's a backport) *** Bug 1035907 has been marked as a duplicate of this bug. *** Icehouse (development branch) fix: https://review.openstack.org/55175 Havana fix: https://review.openstack.org/58465 Grizzly fix: https://review.openstack.org/58820 Description: Cisco PSIRT reported a vulnerability in the OpenStack Horizon dashboard. By embedding HTML tags in an Instance Name, a tenant may execute a script within an administrator's browser resulting in a cross-site scripting (XSS) attack. Only setups using the Horizon dashboard are affected. Created attachment 833693 [details]
cve-2013-6858-master-icehouse.patch
Created attachment 833694 [details]
cve-2013-6858-stable-havana.patch
Created attachment 833696 [details]
cve-2013-6858-stable-grizzly.patch
for Icehouse and (esp. Havana), packages are already built and fixes are included for a while right now. For grizzly, the patch has not been merged upstream yet. This issue has been addressed in following products: OpenStack 3 for RHEL 6 Via RHSA-2014:0365 https://rhn.redhat.com/errata/RHSA-2014-0365.html |