Bug 1343982 (CVE-2016-4428)
| Summary: | CVE-2016-4428 python-django-horizon: XSS in client side template | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Andrej Nemec <anemec> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED ERRATA | QA Contact: | |
| Severity: | high | Docs Contact: | |
| Priority: | high | ||
| Version: | unspecified | CC: | abaron, aortega, apevec, athomas, ayoung, chrisw, eglynn, jjoyce, jschluet, kbasil, lhh, lpeer, lsvaty, markmc, mburns, mgarciac, mrunge, pgrist, rbryant, rdopiera, rhos-maint, sclewis, security-response-team, slong, srevivo, tdecacqu |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: |
A DOM-based, cross-site scripting vulnerability has been identified in the OpenStack dashboard, where user input was not filtered correctly. An authenticated dashboard user could exploit the flaw by injecting an AngularJS template into a dashboard form (for example, using an image's description), triggering the vulnerability when another user browsed the affected page. As a result, this flaw could result in user accounts being compromised (for example, user-access credentials being stolen).
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2016-12-16 02:26:42 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 1344164, 1344165, 1344166, 1344167, 1344168, 1344169, 1347051, 1347874, 1347875 | ||
| Bug Blocks: | 1343983 | ||
|
Description
Andrej Nemec
2016-06-08 12:36:40 UTC
Acknowledgments: Name: the OpenStack project Upstream: Beth Lancaster (Virginia Tech), Brandon Sawyers (Virginia Tech) Created python-django-horizon tracking bugs for this issue: Affects: fedora-all [bug 1347874] Upstream advisory - OSSA-2016-010: http://seclists.org/oss-sec/2016/q2/565 Upstream bug: https://bugs.launchpad.net/horizon/+bug/1567673 Upstream commit for master: https://git.openstack.org/cgit/openstack/horizon/commit/?id=62b4e6f30a7ae7961805abdffdb3c7ae5c2b676a This issue has been addressed in the following products: Red Hat Enterprise Linux OpenStack Platform 6.0 (Juno) for RHEL 7 Via RHSA-2016:1271 https://access.redhat.com/errata/RHSA-2016:1271 This issue has been addressed in the following products: Red Hat OpenStack Platform 8.0 (Liberty) Via RHSA-2016:1270 https://access.redhat.com/errata/RHSA-2016:1270 This issue has been addressed in the following products: Red Hat Enterprise Linux OpenStack Platform 5.0 (Icehouse) for RHEL 6 Via RHSA-2016:1268 https://access.redhat.com/errata/RHSA-2016:1268 This issue has been addressed in the following products: Red Hat Enterprise Linux OpenStack Platform 7.0 (Kilo) for RHEL 7 Via RHSA-2016:1272 https://access.redhat.com/errata/RHSA-2016:1272 This issue has been addressed in the following products: Red Hat Enterprise Linux OpenStack Platform 5.0 (Icehouse) for RHEL 7 Via RHSA-2016:1269 https://access.redhat.com/errata/RHSA-2016:1269 python-django-horizon-2015.1.4-1.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report. |