Bug 1343982 – CVE-2016-4428 python-django-horizon: XSS in client side template

Bugzilla will be upgraded to version 5.0 on a still to be determined date in the near future. The original upgrade date has been delayed.

Bug 1343982 - (CVE-2016-4428) CVE-2016-4428 python-django-horizon: XSS in client side template

Summary:	CVE-2016-4428 python-django-horizon: XSS in client side template

Status:	CLOSED ERRATA

Aliases:	CVE-2016-4428

Product:	Security Response
Classification:	Other
Component:	vulnerability (Show other bugs)
Sub Component:
Version:	unspecified
Hardware:	All Linux

Priority	high Severity high
Target Milestone:	---
Target Release:	---
Assigned To:	Red Hat Product Security
QA Contact:
Docs Contact:

URL:
Whiteboard:	impact=important,public=20160617,repo...
Keywords:	Security

Depends On:	1344164 1344165 1344166 1344167 1344168 1344169 1347051 1347874 1347875
Blocks:	1343983
	Show dependency tree / graph

Reported:	2016-06-08 08:36 EDT by Andrej Nemec
Modified:	2016-12-15 21:26 EST (History)
CC List:	19 users (show)

See Also:
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:	A DOM-based, cross-site scripting vulnerability was found in the OpenStack dashboard, where user input was not filtered correctly. An authenticated dashboard user could exploit the flaw by injecting an AngularJS template into a dashboard form (for example, using an image's description), triggering the vulnerability when another user browsed the affected page. As a result, this flaw could result in user accounts being compromised (for example, user-access credentials being stolen).
Story Points:	---
Clone Of:
Environment:
Last Closed:	2016-12-15 21:26:42 EST
Type:	---
Regression:	---
Mount Type:	---
Documentation:	---
CRM:
Verified Versions:
Category:	---
oVirt Team:	---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

External Trackers
Tracker	ID	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2016:1268	normal	SHIPPED_LIVE	Important: python-django-horizon security update	2016-06-21 22:24:05 EDT
Red Hat Product Errata	RHSA-2016:1269	normal	SHIPPED_LIVE	Important: python-django-horizon security update	2016-06-21 22:40:20 EDT
Red Hat Product Errata	RHSA-2016:1270	normal	SHIPPED_LIVE	Important: python-django-horizon security update	2016-06-21 22:23:56 EDT
Red Hat Product Errata	RHSA-2016:1271	normal	SHIPPED_LIVE	Important: python-django-horizon security and bug fix update	2016-06-21 22:23:48 EDT
Red Hat Product Errata	RHSA-2016:1272	normal	SHIPPED_LIVE	Important: python-django-horizon security, bug fix, and enhancement update	2016-06-21 22:39:29 EDT

Groups: None (edit)

Description Andrej Nemec 2016-06-08 08:36:40 EDT

Beth Lancaster and Brandon Sawyers from Virginia Tech reported a
vulnerability in Horizon. By injecting Angularjs template in dashboard
forms, such as image's description, an authenticated user may trigger a
cross-site-scripting vulnerability when another user browses the
affected pages. It may result in potential assets theft like user access
credentials. All Horizon setups are affected.

Comment 1 Andrej Nemec 2016-06-08 08:36:52 EDT

Acknowledgments:

Name: the OpenStack project
Upstream: Beth Lancaster (Virginia Tech), Brandon Sawyers (Virginia Tech)

Comment 12 Summer Long 2016-06-17 18:23:03 EDT

Created python-django-horizon tracking bugs for this issue:

Affects: fedora-all [bug 1347874]

Comment 13 Tomas Hoger 2016-06-20 07:58:45 EDT

Upstream advisory - OSSA-2016-010:

http://seclists.org/oss-sec/2016/q2/565

Upstream bug:

https://bugs.launchpad.net/horizon/+bug/1567673

Upstream commit for master:

https://git.openstack.org/cgit/openstack/horizon/commit/?id=62b4e6f30a7ae7961805abdffdb3c7ae5c2b676a

Comment 14 errata-xmlrpc 2016-06-21 18:24:34 EDT

This issue has been addressed in the following products:

  Red Hat Enterprise Linux OpenStack Platform 6.0 (Juno) for RHEL 7

Via RHSA-2016:1271 https://access.redhat.com/errata/RHSA-2016:1271

Comment 15 errata-xmlrpc 2016-06-21 18:24:55 EDT

This issue has been addressed in the following products:

  Red Hat OpenStack Platform 8.0 (Liberty)

Via RHSA-2016:1270 https://access.redhat.com/errata/RHSA-2016:1270

Comment 16 errata-xmlrpc 2016-06-21 18:25:17 EDT

This issue has been addressed in the following products:

  Red Hat Enterprise Linux OpenStack Platform 5.0 (Icehouse) for RHEL 6

Via RHSA-2016:1268 https://access.redhat.com/errata/RHSA-2016:1268

Comment 17 errata-xmlrpc 2016-06-21 18:40:34 EDT

This issue has been addressed in the following products:

  Red Hat Enterprise Linux OpenStack Platform 7.0 (Kilo) for RHEL 7

Via RHSA-2016:1272 https://access.redhat.com/errata/RHSA-2016:1272

Comment 18 errata-xmlrpc 2016-06-21 18:40:59 EDT

This issue has been addressed in the following products:

  Red Hat Enterprise Linux OpenStack Platform 5.0 (Icehouse) for RHEL 7

Via RHSA-2016:1269 https://access.redhat.com/errata/RHSA-2016:1269

Comment 19 Fedora Update System 2016-06-30 15:52:23 EDT

python-django-horizon-2015.1.4-1.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.