Title: XSS in Horizon-Orchestration through resource name
Reporter: Jason Hullinger (HP)
Products: Horizon
Versions: 2013.2 to 2013.2.3, and 2014.1
Description:
Jason Hullinger from Hewlett Packard reported a vulnerability in Horizon Orchestration dashboard. By tricking an Horizon user, a malicious templates owner/catalog may conduct an XSS once a corrupted template is used in the Orchestration/Stack section of Horizon, resulting in potential assets stealing (horizon user/admin access credentials, VMs/Network configuration/management, tenants confidential information, etc.). Only setups using Heat together with Horizon are affected.
Thanks!
Here is impact description #2
Title: XSS in Horizon- Orchestration through resource name
Reporter: Jason Hullinger (HP)
Products: Horizon
Versions: 2013.2 to 2013.2.3, and 2014.1
Description: management, tenants confidential information, etc.). Only setups using Heat together with Horizon are affected.
Jason Hullinger from Hewlett Packard reported a vulnerability in Horizon Orchestration dashboard. By tricking an Horizon user, a malicious templates owner/catalog may conduct an XSS once a corrupted template is used in the Orchestration/Stack section of Horizon, resulting in potential assets stealing (horizon user/admin access credentials, VMs/Network configuration/