Multiple XSS vulnerabilities were reported in OpenStack Horizon:
Jason Hullinger from Hewlett Packard, Craig Lorentzen from Cisco and Michael Xin from Rackspace reported 3 cross-site scripting (XSS) vulnerabilities in Horizon. A malicious Orchestration template owner or catalog may conduct an XSS attack once a corrupted template is used in the Orchestration/Stack section of Horizon (CVE-2014-3473). A malicious Horizon user may store an XSS attack by creating a network with a corrupted name (CVE-2014-3474). A malicious Horizon administrator may store an XSS attack by creating a user with a corrupted email address (CVE-2014-3475). Once executed in a legitimate context these attacks may result in potential asset stealing (horizon user/admin access credentials, VMs/Network configuration/management, tenants' confidential information, etc.). All Horizon setups are affected.
This affects all versions up to and including 2014.1.1 and 2013.2.3.
Created python-django-horizon tracking bugs for this issue:
Affects: fedora-all [bug 1118141]
Affects: epel-6 [bug 1118142]
This issue has been addressed in following products:
OpenStack 5 for RHEL 7
Via RHSA-2014:0939 https://rhn.redhat.com/errata/RHSA-2014-0939.html
A cross-site scripting (XSS) flaw was found in the way orchestration templates were handled. An owner of such a template could use this flaw to perform XSS attacks against other Horizon users.
It was found that network names were not sanitized. A malicious user could use this flaw to perform XSS attacks against other Horizon users by creating a network with a specially-crafted name.
It was found that some email addresses were not sanitized. An administrator could use this flaw to perform XSS attacks against other Horizon users by storing an email address that has a specially-crafted name.
This issue has been addressed in the following products:
OpenStack 4 for RHEL 6
Via RHSA-2014:1188 https://rhn.redhat.com/errata/RHSA-2014-1188.html