Bug 1035907 (CVE-2013-6406) - CVE-2013-6406 OpenStack Horizon: Nova strings persistent XSS
Summary: CVE-2013-6406 OpenStack Horizon: Nova strings persistent XSS
Keywords:
Status: CLOSED DUPLICATE of bug 1034153
Alias: CVE-2013-6406
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks: 1035915
TreeView+ depends on / blocked
 
Reported: 2013-11-28 20:10 UTC by Kurt Seifried
Modified: 2021-02-17 07:08 UTC (History)
21 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2013-12-04 04:12:11 UTC
Embargoed:

Attachments (Terms of Use)

Description Kurt Seifried 2013-11-28 20:10:13 UTC 
Chris Chapman of Cisco PSIRT reports:

The OpenStack web user interface (horizon) is vulnerable to XSS:

While launching (or editing) an instance, injecting <script> tags in
the instance name results in the javascript being executed on the
"Volumes" and the "Network Topology" page. This is a classic Stored
XSS vulnerability.

External reference:
https://bugs.launchpad.net/ossa/+bug/1247675
https://review.openstack.org/58465
http://github.com/openstack/horizon/commit/6179f70290783e55b10bbd4b3b7ee74db3f8ef70
Comment 2 Kurt Seifried 2013-11-28 20:20:50 UTC 
Created python-django-horizon tracking bugs for this issue:

Affects: fedora-all [bug 1035913]
Affects: epel-6 [bug 1035914]
Comment 3 Kurt Seifried 2013-12-04 04:12:11 UTC 

*** This bug has been marked as a duplicate of bug 1034153 ***
Comment 4 Doran Moppert 2020-02-10 04:28:00 UTC 
Statement:

This flaw was found to be a duplicate of CVE-2013-6858. Please see https://access.redhat.com/security/cve/CVE-2013-6858 for information about affected products and security errata.
Note You need to log in before you can comment on or make changes to this bug.