Beth Lancaster and Brandon Sawyers from Virginia Tech reported a vulnerability in Horizon. By injecting Angularjs template in dashboard forms, such as image's description, an authenticated user may trigger a cross-site-scripting vulnerability when another user browses the affected pages. It may result in potential assets theft like user access credentials. All Horizon setups are affected.
Acknowledgments: Name: the OpenStack project Upstream: Beth Lancaster (Virginia Tech), Brandon Sawyers (Virginia Tech)
Created python-django-horizon tracking bugs for this issue: Affects: fedora-all [bug 1347874]
Upstream advisory - OSSA-2016-010: http://seclists.org/oss-sec/2016/q2/565 Upstream bug: https://bugs.launchpad.net/horizon/+bug/1567673 Upstream commit for master: https://git.openstack.org/cgit/openstack/horizon/commit/?id=62b4e6f30a7ae7961805abdffdb3c7ae5c2b676a
This issue has been addressed in the following products: Red Hat Enterprise Linux OpenStack Platform 6.0 (Juno) for RHEL 7 Via RHSA-2016:1271 https://access.redhat.com/errata/RHSA-2016:1271
This issue has been addressed in the following products: Red Hat OpenStack Platform 8.0 (Liberty) Via RHSA-2016:1270 https://access.redhat.com/errata/RHSA-2016:1270
This issue has been addressed in the following products: Red Hat Enterprise Linux OpenStack Platform 5.0 (Icehouse) for RHEL 6 Via RHSA-2016:1268 https://access.redhat.com/errata/RHSA-2016:1268
This issue has been addressed in the following products: Red Hat Enterprise Linux OpenStack Platform 7.0 (Kilo) for RHEL 7 Via RHSA-2016:1272 https://access.redhat.com/errata/RHSA-2016:1272
This issue has been addressed in the following products: Red Hat Enterprise Linux OpenStack Platform 5.0 (Icehouse) for RHEL 7 Via RHSA-2016:1269 https://access.redhat.com/errata/RHSA-2016:1269
python-django-horizon-2015.1.4-1.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.