Two endpoints, federation and shovel, do not properly sanitize user input. A remote authenticated malicious user with administrative access could craft a cross site scripting attack via the vhost or node name fields that could grant access to virtual hosts and policy management information.
Created rabbitmq-server tracking bugs for this issue:
Affects: fedora-all [bug 1783329]
Affects: openstack-rdo [bug 1783328]
This issue has been addressed in the following products:
Red Hat OpenStack Platform 15.0 (Stein)
Via RHSA-2020:0553 https://access.redhat.com/errata/RHSA-2020:0553
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):