OpenStack Dashboard (Horizon)

Overview
Code
Bugs
Blueprints
Translations
Answers

Bug #1308727
Comment #12

Comment 12 for bug 1308727

Revision history for this message

Tristan Cacqueray (tristan-cacqueray) wrote on 2014-04-25: Re: XSS in Horizon Heat template - resource name

#12

Thanks!
Here is impact description #2

Title: XSS in Horizon-Orchestration through resource name
Reporter: Jason Hullinger (HP)
Products: Horizon
Versions: 2013.2 to 2013.2.3, and 2014.1

Description:
Jason Hullinger from Hewlett Packard reported a vulnerability in Horizon Orchestration dashboard. By tricking an Horizon user, a malicious templates owner/catalog may conduct an XSS once a corrupted template is used in the Orchestration/Stack section of Horizon, resulting in potential assets stealing (horizon user/admin access credentials, VMs/Network configuration/management, tenants confidential information, etc.). Only setups using Heat together with Horizon are affected.